Blocklist Flash versions vulnerable to CVE-2014-9163 (15.0.0.242 and below, 11.2.202.424 on linux)

VERIFIED FIXED in 2014-12

Status

()

defect
--
critical
VERIFIED FIXED
4 years ago
2 years ago

People

(Reporter: dveditz, Assigned: jorgev)

Tracking

unspecified
2014-12
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Adobe released new versions of Flash yesterday that fixed multiple vulnerabilities. One of them, CVE-2014-9163, has been used in exploits spotted in the wild. We should make all vulnerable versions CtP.

Adobe's advisory is at
https://helpx.adobe.com/security/products/flash-player/apsb14-27.html

For Linux blocklist 11.2.202.424 and below (version 11.2.202.425 is good)

Their wording is a little confusing for mac and windows. Their advisory urges people to upgrade to the new 16.0.0.235, but elsewhere (https://forums.adobe.com/thread/1654544?start=0&tstart=0) they say 15.0.0.246 also fixes this bug. Both documents agree that 15.0.0.242 and below are the bad ones.

This would be a CtP Block with "update available". If "vulnerable" is an option then use that, too.
(Assignee)

Comment 1

4 years ago
The block for Mac and Windows is now staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p586. Adding a couple of QA people since we haven't done these in a while.

We have a problem on Linux, since we use regular expressions in the plugin description to check for version numbers, and the description strings look like this: "Shockwave Flash 11.2 r202". So, we don't have the 4th part of the version string. We use the description because of some problem that caused the version number field to be unreliable on Linux, but I don't remember the details, or know if it's still a problem. In the current state of things we could block up to either 11.2.201.* or 11.2.202.* on Linux.
Flags: needinfo?(jbecerra)
Flags: needinfo?(anthony.s.hughes)
Keywords: qawanted
We are still testing this. We are using instructions from https://wiki.mozilla.org/Blocklisting/Testing
Flags: needinfo?(jbecerra)
Question: do versions older than 16.0.0.235 need to be blocklisted on both Windows and Mac, or just older than 15.0.0.242? The advisory recommend being on the latest, for Windows and Mac. 

I tested on Windows with a couple of versions older than 15.0.0.242, and that works, but I tested on Mac with version 16.0.0.219 and that did not work, meaning it doesn't get blocklisted.

This is the entry in the blocklist.xml file:

<pluginItem blockID="p586"><match name="filename" exp="(NPSWF32.*\.dll)|(Flash\ Player\.plugin)"/><versionRange minVersion="10.3.183.66" maxVersion="15.0.0.242" severity="0" vulnerabilitystatus="1"/><infoURL>https://get.adobe.com/flashplayer/</infoURL></pluginItem>

This is the description in the about:plugins page for the older 16.x version I tried on Mac:

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 16.0.0.219
State: Enabled
Shockwave Flash 16.0 d0
Flags: needinfo?(jorge)
Flags: needinfo?(dveditz)
For Linux it also does not seem to be working:

    File: libflashplayer.so
    Path: /opt/mint-flashplugin-11/libflashplayer.so
    Version: 11.2.202.356
    State: Enabled
    Shockwave Flash 11.2 r202

That version does not get blocked, but it is older than 11.2.202.425, as in the advisory.
(Assignee)

Comment 5

4 years ago
(In reply to juan becerra [:juanb] from comment #3)
> Question: do versions older than 16.0.0.235 need to be blocklisted on both
> Windows and Mac, or just older than 15.0.0.242? The advisory recommend being
> on the latest, for Windows and Mac.

Based on the first comment I'm only blocking 15.0.0.242 and lower. If we have clear info about versions on the 16.* branch being vulnerable on Mac or Windows, I expand the block.

> I tested on Windows with a couple of versions older than 15.0.0.242, and
> that works, but I tested on Mac with version 16.0.0.219 and that did not
> work, meaning it doesn't get blocklisted.


That's expected behavior per the comment above. Since this block is urgent, I'm pushing the Windows and Mac block live.

(In reply to juan becerra [:juanb] from comment #4)
> For Linux it also does not seem to be working:
> 
>     File: libflashplayer.so
>     Path: /opt/mint-flashplugin-11/libflashplayer.so
>     Version: 11.2.202.356
>     State: Enabled
>     Shockwave Flash 11.2 r202
> 
> That version does not get blocked, but it is older than 11.2.202.425, as in
> the advisory.

Yes, I didn't stage a Linux block. This is the second instance on Linux where I see the version number is working correctly (it used to appear blank in about:plugins), so I'm going to stage a block using the version number rather than the description.
Flags: needinfo?(jorge)
Flags: needinfo?(anthony.s.hughes)
(Assignee)

Comment 6

4 years ago
The block for Windows and Mac is now live: https://addons.mozilla.org/blocked/p794

The block for Linux using version numbers is now staged: https://addons-dev.allizom.org/blocked/p588. Please test.
Flags: needinfo?(jbecerra)
(Reporter)

Comment 7

4 years ago
Jeromie: can you help us out on what versions are vulnerable to CVE-2014-9163? We know 15.0.0.242 is bad, and fixes were issued in both 15.0.0.246 and 16.0.0.235

What about 16.x less than 16.0.0.235, vulnerable or OK? Or not enough of them out there to really worry about the ones who miss the auto-update?
Flags: needinfo?(dveditz) → needinfo?(jeclark)
(In reply to Jorge Villalobos [:jorgev] from comment #6)
> The block for Windows and Mac is now live:
> https://addons.mozilla.org/blocked/p794

I've confirmed these on production.

> 
> The block for Linux using version numbers is now staged:
> https://addons-dev.allizom.org/blocked/p588. Please test.

This is working on Linux on staging.

We still need to know whether we need to block older versions like 16.0.0.219 on Mac.
Flags: needinfo?(jbecerra)
(While you work on this, note that Plugin Check page may display stale results -> bug 1084537
I added my detailed results to that bug,
https://bugzilla.mozilla.org/show_bug.cgi?id=1084537#c12
)
(Assignee)

Comment 11

4 years ago
(In reply to Jeromie Clark from comment #10)
> https://helpx.adobe.com/security/products/flash-player/apsb14-27.html

From this page it looks like we don't need to block anything in the 16.x branch, so the only pending step is to push the Linux block live.
(Assignee)

Comment 12

4 years ago
Done: https://addons.mozilla.org/blocked/p796
Assignee: nobody → jorge
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-12
I verified this on Linux in production.
Keywords: qawanted

Comment 14

4 years ago
> What about 16.x less than 16.0.0.235, vulnerable or OK? Or not enough of them out there to really worry 
> about the ones who miss the auto-update?

Users on Flash Player 16 that have something less than .235 are using beta builds of Flash Player.  I believe that our first public beta was 16.0.0.219, and the fix was already present in that build.

Comment 15

4 years ago
Hi,

I updated flash-plugin to 11.2.202.425 using yum on Fedora 20. But Firefox stills show it as 11.2.202.424 in about:plugins page, and in plugincheck page[1], and it is blocked. Also, plugincheck page claims 11.2.202.424 is "up to date". I wonder if something on Firefox side is not working properly.

[1] https://www.mozilla.org/en-US/plugincheck/

Comment 16

4 years ago
This (In reply to alick9188 from comment #15)
> I updated flash-plugin to 11.2.202.425 using yum on Fedora 20. But Firefox
> stills show it as 11.2.202.424 in about:plugins page, and in plugincheck
> page[1], and it is blocked. Also, plugincheck page claims 11.2.202.424 is
> "up to date". I wonder if something on Firefox side is not working properly.
> 
> [1] https://www.mozilla.org/en-US/plugincheck/

You need to delete pluginreg.dat from your profile directory: ~/.mozilla/firefox/[garbage].default/

I think Firefox was running during background update of flash-plugin package, which is perfectly normal on Linux. When it was closed it saved current timestamp of /usr/lib64/flash-plugin/libflashplayer.so to pluginreg.dat file, but saved a version number from currently open version of libflashplayer.so, which was actually deleted in filesystem.

When it was started again it checked this timestamp and read plugin version from pluginreg.dat. And blocked current flash.

This is bad, as a normal user would have no idea what's wrong and how to fix it. Firefox will prevent him from watching his daily cat-videos fix from Youtube.

Comment 17

4 years ago
(In reply to Tomasz Ostrowski from comment #16)
> This (In reply to alick9188 from comment #15)
> > I updated flash-plugin to 11.2.202.425 using yum on Fedora 20. But Firefox
> > stills show it as 11.2.202.424 in about:plugins page, and in plugincheck
> > page[1], and it is blocked. Also, plugincheck page claims 11.2.202.424 is
> > "up to date". I wonder if something on Firefox side is not working properly.
> > 
> > [1] https://www.mozilla.org/en-US/plugincheck/
> 
> You need to delete pluginreg.dat from your profile directory:
> ~/.mozilla/firefox/[garbage].default/
> 
> I think Firefox was running during background update of flash-plugin
> package, which is perfectly normal on Linux. When it was closed it saved
> current timestamp of /usr/lib64/flash-plugin/libflashplayer.so to
> pluginreg.dat file, but saved a version number from currently open version
> of libflashplayer.so, which was actually deleted in filesystem.
> 
> When it was started again it checked this timestamp and read plugin version
> from pluginreg.dat. And blocked current flash.
> 

Yes indeed. After closing Firefox, manual removal of that file, and restart, the version number is now correct. Thanks!

> This is bad, as a normal user would have no idea what's wrong and how to fix
> it. Firefox will prevent him from watching his daily cat-videos fix from
> Youtube.

+1. Is it a known issue? Or shall we add a new bug report?

Comment 18

4 years ago
(In reply to alick9188 from comment #17)
> +1. Is it a known issue? Or shall we add a new bug report?

Unfortunately I wasn't able to reproduce this. I tried. Maybe it has to do something with updating blocklist.xml in background. I have no idea.

I've saved corrupted pluginreg.dat. Timestamp (1416535856000ms since epoch) is wrong for libflashplayer.so version 11.2.202.424 from http://linuxdownload.adobe.com/linux/x86_64/flash-plugin-11.2.202.424-release.x86_64.rpm:

[PLUGINS]
libflashplayer.so:$
/usr/lib64/flash-plugin/libflashplayer.so:$
11.2.202.424:$
1416535856000:0:0:0:$
Shockwave Flash 11.2 r202:$
Shockwave Flash:$

Comment 19

4 years ago
(In reply to Tomasz Ostrowski from comment #18)
> (In reply to alick9188 from comment #17)
> > +1. Is it a known issue? Or shall we add a new bug report?
> 
> Unfortunately I wasn't able to reproduce this. I tried. Maybe it has to do
> something with updating blocklist.xml in background. I have no idea.
> 

Hmm, I simply removed the old pluginreg.dat so cannot reproduce either. But the logic of reading plugin version number at restart does not seem right to me. I'd expect something similar to check new version of addons for plugins.

Comment 20

4 years ago
http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

"
Affected software versions

    Adobe Flash Player 15.0.0.242 and earlier versions
    Adobe Flash Player 13.0.0.258 and earlier 13.x versions
    Adobe Flash Player 11.2.202.424 and earlier versions for Linux
"

The curent block is also blocking 13.0.0.259 .

Comment 21

4 years ago
if we are blocklisting a plugin we should at the same time also update the mozilla plugin check at https://www.mozilla.org/plugincheck - in about:addons this is provided as resource to check and update your plugins.
now that old vulnerable versions are blocklisted but on the plugin check page are still shown as current with no link to any source where users could update to a secure version, this leaves many users turning up at the sumo forums confused.

Comment 22

4 years ago
(In reply to thedukesd from comment #20)
> http://helpx.adobe.com/security/products/flash-player/apsb14-27.html
> 
> "
> Affected software versions
> 
>     Adobe Flash Player 15.0.0.242 and earlier versions
>     Adobe Flash Player 13.0.0.258 and earlier 13.x versions
>     Adobe Flash Player 11.2.202.424 and earlier versions for Linux
> "
> 
> The curent block is also blocking 13.0.0.259 .

+1 
experiencing the same, 13.0.0.259 also being blocked

Comment 23

4 years ago
Blocking Linux add ons seems to be a hobby with Mozila.  Not a good thing.  Very irritating.
(Assignee)

Updated

4 years ago
Duplicate of this bug: 1110893
(Assignee)

Comment 25

4 years ago
I'm reopening this in order to deal with the 13.0.0.259 issue.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 26

4 years ago
Okay, so now we have 2 blocks for Mac and Windows, in staging:

Flash Player Plugin 10.3.183.66 to 13.0.0.258
https://addons-dev.allizom.org/en-US/firefox/blocked/p586

Flash Player Plugin 10.4 to 15.0.0.242
https://addons-dev.allizom.org/en-US/firefox/blocked/p590

The only difference should be that 13.0.0.259 is no longer blocked.
Flags: needinfo?(jbecerra)
Keywords: qawanted
The entry in the blocklist.xml is up to date with the staged blocklist, but I tried running Fx release with Flash 13.0.0.259 and this is still being blocklisted. 

    File: NPSWF32_13_0_0_259.dll
    Path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_259.dll
    Version: 13.0.0.259
    State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
    Shockwave Flash 13.0 r0
Flags: needinfo?(jbecerra)
(Assignee)

Comment 28

4 years ago
Ah the problem was p590, that should start on 14.0 rather than 10.4. I fixed it just now, so it should be updated and working soon.
I've tested the most recent staged versions and made sure older versions of 15.x and 13.x are blocked on Fx installations on Windows and Mac. The most recent versions of 16.x and 13.x work. I couldn't find a 15.x more recent than .239 for testing.
Duplicate of this bug: 1111066
(Reporter)

Comment 31

4 years ago
Juan: you can find 15.0.0.246 links at https://forums.adobe.com/thread/1654544?start=0&tstart=0
The links in that page lead to a generic http://get.adobe.com/flashplayer site which serves the latest 16.x version. Searching the webs has yielded no installers for 15...246 so far.
(Assignee)

Comment 33

4 years ago
The updated blocks are now live. While it'd be good to get confirmation for the 'good' 15.x versions, that part hasn't changed since the previous blocks and I don't want to wait until Monday to unblock the 'good' 13.x versions.

Mac and Windows:

Flash Player Plugin 14.0 to 15.0.0.242 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p798

Flash Player Plugin 10.3.183.66 to 13.0.0.258 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p794

Linux:

Flash Player Plugin 11.2.202.424 and lower (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p796
(Assignee)

Updated

4 years ago
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago4 years ago
Resolution: --- → FIXED
I am running Firefox 34.0.5 (32-bit) on Windows 7 (64-bit), Russian locale, and I can confirm that Shockware Flash 15.0.0.239 is blocked.

There are a few oddities though:
a) On about:addons page on the row for this plugin there is a link saying "Update now" (I am translating from Russian here).

Actual: The link goes to p178 page [1] which is rather old. The title of the page says different version numbers, which is misleading.

Expected: Go to either an up-to-date page (p794) [2] or to https://get.adobe.com/flashplayer/

My copy of blocklist.xml file was updated ~30 minutes ago (by file timestamp) and has lastupdate="1418329021000" on its root element 

b) The p178 page [1] has a mix of Russian and English text. Do you need any help with translating it?

c) If I go to Plugin check page [3],  it still displays my version of Flash plugin as up-to-date. This is confusing.  This have already been reported as bug 1084537 a day ago, and mentioned by several people on this page, but there is no progress. Does anyone need to manually update data for that page somewhere? Or is it infrastructure problem with out-of-date mirrors/cache servers?


[1] https://blocklist.addons.mozilla.org/ru/firefox/blocked/p178
[2] https://addons.mozilla.org/en-US/firefox/blocked/p794
[3] https://www.mozilla.org/ru/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update

(In reply to juan becerra [:juanb] from comment #3)
> This is the entry in the blocklist.xml file:
> 
> <pluginItem blockID="p586"><match name="filename"
> exp="(NPSWF32.*\.dll)|(Flash\ Player\.plugin)"/><versionRange
> minVersion="10.3.183.66" maxVersion="15.0.0.242" severity="0"
> vulnerabilitystatus="1"/><infoURL>https://get.adobe.com/flashplayer/</
> infoURL></pluginItem>

On my computer I see two versions of NPSWF .dll:
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll
C:\Windows\System32\Macromed\Flash\NPSWF64_15_0_0_239.dll 

The 64-bit version is not used by my 32-bit Firefox, but does the "exp" expression need to match it as well? I see that some other entries in blocklist.xml file are using (NPSWF[0-9_]*\.dll) as the regular expression.
(Assignee)

Comment 35

4 years ago
(In reply to Konstantin Kolinko from comment #34)
> I am running Firefox 34.0.5 (32-bit) on Windows 7 (64-bit), Russian locale,
> and I can confirm that Shockware Flash 15.0.0.239 is blocked.


Try deleting the file pluginreg.dat in your profile and restarting. In some cases we've seen Firefox getting confused about which plugin version is installed and that could potentially fix the issue.

> Actual: The link goes to p178 page [1] which is rather old. The title of the
> page says different version numbers, which is misleading.

Yeah, I'm not sure why people are being sent to p178. You're not the first one to report this.

> b) The p178 page [1] has a mix of Russian and English text. Do you need any
> help with translating it?

The parts that are in English are entered manually for every block, so they can't be reliably translated due to blocks being generally urgent and blocklist messages varying depending on the block. It's something we're thinking about fixing in the future, though. Thanks for the offer, though.

> On my computer I see two versions of NPSWF .dll:
> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll
> C:\Windows\System32\Macromed\Flash\NPSWF64_15_0_0_239.dll 
> 
> The 64-bit version is not used by my 32-bit Firefox, but does the "exp"
> expression need to match it as well? I see that some other entries in
> blocklist.xml file are using (NPSWF[0-9_]*\.dll) as the regular expression.

"exp" does need to match, so it wouldn't match the 64 bit version.
(In reply to Jorge Villalobos [:jorgev] from comment #35)
> (In reply to Konstantin Kolinko from comment #34)
> > I am running Firefox 34.0.5 (32-bit) on Windows 7 (64-bit), Russian locale,
> > and I can confirm that Shockware Flash 15.0.0.239 is blocked.
> 
> 
> Try deleting the file pluginreg.dat in your profile and restarting. In some
> cases we've seen Firefox getting confused about which plugin version is
> installed and that could potentially fix the issue.

Thank you. To clarify: this behaves as expected. It is blocked.

I renamed pluginreg.dat, restarted, and there is no change if behaviour. The new file is the same as the old one. Just for information, the lines for Flash plugin in the file are the following:

NPSWF32_15_0_0_239.dll|$
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll|$
15.0.0.239|$
1417035043377|0|0|0|$
Shockwave Flash 15.0 r0|$
Shockwave Flash|$
2
0|application/x-shockwave-flash|Adobe Flash movie|swf|$
1|application/futuresplash|FutureSplash movie|spl|$


> > Actual: The link goes to p178 page [1] which is rather old. The title of the
> > page says different version numbers, which is misleading.
> 
> Yeah, I'm not sure why people are being sent to p178. You're not the first
> one to report this.
> 

I tried to look around for clues, and in
jar:file:///C:/Program%20Files%20%28x86%29/Mozilla%20Firefox/omni.ja!/chrome/toolkit/content/mozapps/extensions/extensions.js
I see the following code:

      } else if (this._addon.blocklistState == Ci.nsIBlocklistService.STATE_VULNERABLE_UPDATE_AVAILABLE) {
        this.node.setAttribute("notification", "error");
        document.getElementById("detail-error").textContent = gStrings.ext.formatStringFromName(
          "details.notification.vulnerableUpdatable",
          [this._addon.name], 1
        );
        var errorLink = document.getElementById("detail-error-link");
        errorLink.value = gStrings.ext.GetStringFromName("details.notification.vulnerableUpdatable.link");
        errorLink.href = this._addon.blocklistURL;
        errorLink.hidden = false;
      }

I do not know what sets _addon.blocklistURL.

From this it looks like there is some bug in the application, and not a syntax error/typo within blacklist.xml file.

> > b) The p178 page [1] has a mix of Russian and English text. Do you need any
> > help with translating it?
> 
> The parts that are in English are entered manually for every block, so they
> can't be reliably translated due to blocks being generally urgent and
> blocklist messages varying depending on the block. It's something we're
> thinking about fixing in the future, though. Thanks for the offer, though.

Ack.

> 
> "exp" does need to match, so it wouldn't match the 64 bit version.

Ack.

Comment 37

4 years ago
(In reply to alick9188 from comment #19)
> (In reply to Tomasz Ostrowski from comment #18)
> > (In reply to alick9188 from comment #17)
> > > +1. Is it a known issue? Or shall we add a new bug report?
> > 
> > Unfortunately I wasn't able to reproduce this. I tried. Maybe it has to do
> > something with updating blocklist.xml in background. I have no idea.
> > 
> 
> Hmm, I simply removed the old pluginreg.dat so cannot reproduce either. But
> the logic of reading plugin version number at restart does not seem right to
> me. I'd expect something similar to check new version of addons for plugins.

OK. I reproduced the issue on my laptop computer, updating flash-plugin rpm with Firefox running. The contents about flash-plugin in pluginreg.dat file is the same as in comment 18.

Comment 38

4 years ago
And the timestamp after updates stays 1416535856000, which is certainly not correct.

[PLUGINS]
libflashplayer.so:$
/usr/lib64/flash-plugin/libflashplayer.so:$
11.2.202.425:$
1416535856000:0:0:0:$
Shockwave Flash 11.2 r202:$
Shockwave Flash:$
2
0:application/x-shockwave-flash:Shockwave Flash:swf:$
1:application/futuresplash:FutureSplash Player:spl:$

Comment 39

4 years ago
Please disable this block until it has been properly tested on all OS and browsers using this list so it doesn't block the current Flash 13 ESR release. Seamonkey is affected as well and it doesn't seem to ask to enable flash. Imagine the possible damage caused in companies using the ESR Flash release. My current Firefox ESR version still blocks current ESR flash and still links to the wrong extension block message.
Something is seriously out of sync here.

Comment 40

4 years ago
(In reply to ice-king from comment #39)
> Please disable this block until it has been properly tested on all OS and
> browsers using this list so it doesn't block the current Flash 13 ESR
> release. Seamonkey is affected as well and it doesn't seem to ask to enable
> flash. Imagine the possible damage caused in companies using the ESR Flash
> release. My current Firefox ESR version still blocks current ESR flash

The Extended Support Release - Flash Player 13.0.0.259 is not on blocklist as they even updated with a two part blocklists yesterday (see comment 33 above) so as to not block 13.0.0.259.

https://addons.mozilla.org/en-US/firefox/blocked/
https://www.adobe.com/products/flashplayer/distribution3.html

Comment 41

4 years ago
Both my Firefox ESR and Seamonkey (current release for both) have 13.0.0.259 blocked and to be manually activated.
Firefox had this for some days, Seamonkey just since today.
No idea how to initiate an update for this blocklist (in case it was accidentally blocked and had this block lifted). Maybe some cache/load balance server still issues an outdated blocklist? Maybe different locations (Europe in my case) come into play?

Comment 42

4 years ago
Not sure if I can mark this as verified because of comment 41. I will wait for a response before closing this.

Comment 43

4 years ago
Seems to work for now. I had to use the latest flashplayer on my personal system to restore usability (reverted to Flash ESR now). In a XP VM with 13.252 I installed Seamonkey and after an hour or so it was listed as blocked (BTW still linking to wrong blocklist message, talking about 11.x blocked), installed 13.259 and all is fine.

Comment 44

4 years ago
As per last comments I will mark this bug as verified. 
Closing.
Status: RESOLVED → VERIFIED

Updated

4 years ago
Depends on: 1110578

Comment 45

4 years ago
That's still broken on Linux unfortunately, I have updated, the correct version is reported but it's marked as vulnerable :

   Shockwave Flash is known to be vulnerable and must be updated now
   Shockwave Flash 11,2,202,425
   Shockwave Flash 11.2 r202 More...

I have tried the trick about removal of pluginreg.dat, it was not even renewed.

My version is reported as :

   Firefox ESR 24.1.0
   Firefox is up to date

I don't know what else to check :-/
Is there a simple way to bypass these checks when we know they're bogus ?

Comment 46

4 years ago
Hmmm I just found that I could cheat by changing the version in pluginreg.dat and pretending to be version 21 (and not changing the timestamp otherwise it redetects the correct version) :

[PLUGINS]
libflashplayer.so:$
/usr/lib/firefox-24.1.0/plugins/libflashplayer.so:$
21,2,202,425:$
1418976511000:0:0:$
Shockwave Flash 21.2 r202:$
Shockwave Flash:$

So there's definitely a bug in the rule applied to the version since 11.2.202.425 is the latest version and is supposed not to be vulnerable.

Willy

Comment 47

4 years ago
I can confirm behaviour mentioned in two previous messages on Linux. Only way to get flash plugin working is to change version number high enough.
(In reply to w@1wt.eu from comment #45)
> My version is reported as :
> 
>    Firefox ESR 24.1.0
>    Firefox is up to date

The Firefox ESR 24 branch reached end-of-life some time ago and is no longer supported. You should be using ESR 31 at this point. I'm not sure that's causing the problem you're reporting but you should update regardless.

(In reply to Kimmo Vuorinen from comment #47)
> I can confirm behaviour mentioned in two previous messages on Linux. Only
> way to get flash plugin working is to change version number high enough.

I just tested this in Fedora 21 with Firefox 34 and Flash 11.2.202.425 without any problems. I suggest filing a new bug report providing details about your system so we can try to configure a similar system for investigation.
Keywords: qawanted

Comment 49

4 years ago
(In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #48)
> (In reply to w@1wt.eu from comment #45)
> > My version is reported as :
> > 
> >    Firefox ESR 24.1.0
> >    Firefox is up to date
> 
> The Firefox ESR 24 branch reached end-of-life some time ago and is no longer
> supported. You should be using ESR 31 at this point. I'm not sure that's
> causing the problem you're reporting but you should update regardless.

Too bad it reports being up to date then. I just tested 31.3, and it lost all
of my ~50 open tabs, that I could not recover even when reloading version 24 :-(
It uses 20% more RAM with just this bugzilla page open, and I really miss the
menu at the top. I just found that 24.8.1 isn't affected by these problems so
I'll switch back to that one after responding to this message.

Thanks anyway.
Willy
(In reply to w@1wt.eu from comment #49)
> (In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #48)
> > (In reply to w@1wt.eu from comment #45)
> > > My version is reported as :
> > > 
> > >    Firefox ESR 24.1.0
> > >    Firefox is up to date
> > 
> > The Firefox ESR 24 branch reached end-of-life some time ago and is no longer
> > supported. You should be using ESR 31 at this point. I'm not sure that's
> > causing the problem you're reporting but you should update regardless.
> 
> Too bad it reports being up to date then. I just tested 31.3, and it lost all
> of my ~50 open tabs, that I could not recover even when reloading version 24
> :-(
> It uses 20% more RAM with just this bugzilla page open, and I really miss the
> menu at the top. I just found that 24.8.1 isn't affected by these problems so
> I'll switch back to that one after responding to this message.
> 
> Thanks anyway.
> Willy

You should post this issue to support.mozilla.org so we can help you work through it and update to the Firefox 31 branch. We won't be releasing security/stability fixes for the 24 branch anymore so you're exposing yourself to a lot of risk by staying on that branch.

Comment 51

4 years ago
I think I too should have a say on this.

For one, it is a good thing vulnerable Flash Player versions are blocked so that they can no longer do any mischief, BUT...

There is something between black & white as well.

I am on Linux, and I personally have to use an earlier 11.2 version because Adobe decided to compile all their Flash Player binaries (11.2.3xx+) for Linux with SSE2 support.
Linux runs on my old machine with good performance, but the CPU does *not* have SSE2.
This means that using a "secure" Flash Player version is not possible for me unless I replace my CPU. I kid you not.

http://cromwell-intl.com/linux/flash-on-non-sse2-cpu.html

So that means, should you decide to block ALL versions below 11.2.400--, you will lock me out as well with your security paranoia. Thanks a lot in advance. Because with these versions my CPU will get confused so much that Flash swfs look like badly broken JPEGs.
(In reply to Andreas Eibach from comment #51)
> I think I too should have a say on this.

Andreas, thanks for taking the time to provide your feedback on the matter. Unfortunately Bugzilla is not the forum for these types of discussions. I strongly encourage you post your feedback to dev-planning@lists.mozilla.org.

Thank you

Comment 54

4 years ago
Ugh. Can this only be done via mailing-list??
In fact, my mailing-list days are over :-) They always feel so 20th century to me ;-)
(In reply to Andreas Eibach from comment #54)
> Ugh. Can this only be done via mailing-list??
> In fact, my mailing-list days are over :-) They always feel so 20th century
> to me ;-)

Mailing lists are how we discuss things of this nature in public. In fact, mailing lists are commonly used in open source projects for public discussion. That said, even this conversation about how we have conversations is not appropriate for Bugzilla. Please take this to the mailing list.

Thank you
Product: addons.mozilla.org → Toolkit

Comment 56

2 years ago
Even though you've given this bug the Status (bug has been fixed and VERIFIED), the entries on the Plugins page still offer no way to remove the blocked versions, and the Update Now link only goes to a page which says which versions are blocked.

Could you modify the Plugins page to provide a way to remove the older version, preferably without also removing the newer version?

I've tried marking the older version Never activate and the newer version Always activate under Earlybird 54.0a2 (2017) (32-bit); this fails because it won't retain those settings from one run of Earlybird to the next.
(Assignee)

Comment 57

2 years ago
I don't think it's possible to have two different versions of the plugin installed. You should be able to update at https://get.adobe.com/flashplayer/. We very rarely block the latest version.

Comment 58

2 years ago
Earlybird thinks that two versions are installed at once on my computer.  I do not have a good way of checking if both are actually installed.

That the site that the newer version came from; it's up to date, and installing the newer version did not remove to older version from the list of what's installed.

If you need me to send a picture of what Earlybird shows, how and where should I send it?
(Assignee)

Comment 59

2 years ago
This is not the right place to discuss a support issue. You can find Thunderbird support here: https://support.mozilla.org/en-US/products/thunderbird
You need to log in before you can comment on or make changes to this bug.