Closed Bug 1124654 Opened 7 years ago Closed 7 years ago

(CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
2015-02

People

(Reporter: cbook, Assigned: jorgev)

Details

(Keywords: sec-critical)

a 0-day was found in flash according to https://blog.malwarebytes.org/exploits-2/2015/01/new-adobe-flash-zero-day-found-in-the-wild/ and a update to version 16.0.0.287 was apparently done today. 

So i guess we need to blocklist older versions of flash due to the 0day like version 16.0.0.257

note: if we do the blocklist, could this be cordinated with schalk (:espressive) so we don't melt plugincheck again like last time when there was a flash 0day ? :)
Severity: normal → critical
OS: Mac OS X → All
Is there a CVE or other post that details which versions of Flash are affected?
Flags: needinfo?(dveditz)
Details:
https://helpx.adobe.com/security/products/flash-player/apsb15-02.html

This fixes _a_ bug that was exploited in the wild (CVE-2015-0310) but the advisory says they're still investigating reports of an exploit going around that works against the version released today. Given the timeline (reports yesterday, release today) I suspect this does not fix the one tested by malwarebytes.

Do we have numbers on how fast uptake of 16.0.0.257 was for Firefox users? If Adobe is going to turn around and release yet another fix maybe we should hold the block until that one's available.
Flags: needinfo?(dveditz)
I don't think AMO gets any plugin stats. If we have anything, it would be from FHR or crash stats.

Kris, do you know?
Flags: needinfo?(kmaglione+bmo)
If we do plan to block flash I would love a heads up so we can give advance notice to our Firefox ESR orgs as they did not take the last blocklist action very well.
No, we don't have plugin stats. FHR does have plugin data, but I don't know off hand if it's collated anywhere accessible. I can get the numbers, but it would involve a special query.
Flags: needinfo?(kmaglione+bmo)
(In reply to Daniel Veditz [:dveditz] from comment #2)
> 
> Do we have numbers on how fast uptake of 16.0.0.257 was for Firefox users?
> If Adobe is going to turn around and release yet another fix maybe we should
> hold the block until that one's available.

If my calculation is right:

16.0.0.257 4117291 67.40%
16.0.0.235  450278  7.37%
NA          294840  4.83%
15.0.0.246  266698  4.37%
15.0.0.152   72735  1.19%
13.0.0.206   59977  0.98%
15.0.0.239   57196  0.94%
14.0.0.145   47584  0.78%
11.1.102.55  33752  0.55%
15.0.0.223   33127  0.54%

Data for release on WINNT from telemetry (bug 939922 comment 7)
(In reply to Hector Zhao [:hectorz] from comment #6)
> 
> If my calculation is right:
> 
> 16.0.0.257 4117291 67.40%
> ...

To be clear, it's https://s3-us-west-2.amazonaws.com/telemetry-public-analysis/flash_versions/data/flash_versions20150121.csv.gz
> We are aware of reports that this vulnerability is being actively exploited in the
> wild via drive-by-download attacks against systems running Internet Explorer and
> Firefox on Windows 8 and below.

> Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26.  

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

I think this needs immediate attention.
(In reply to Carsten Book [:Tomcat] from comment #0)
> note: if we do the blocklist, could this be cordinated with schalk (:espressive)
> so we don't melt plugincheck again like last time when there was a flash 0day ? :)

In bug 1124656
I have tested that the Plugincheck Website
https://www.mozilla.org/en-US/plugincheck/
is correctly detecting Flash 16.0.0.257 as "vulnerable".

Using Release [Fx 35] and Aurora (AKA Fx Dev Ed) [Fx 37.0a2 (2015-01-23)]
I do get the correct result – "vulnerable" – very good.

However, using UA spoofing, I still have the wrong result for Fx 31.
I am told Flash 16.0.0.257 is "Up to Date".
  The reason why is in bug 1124656.

Can someone please test with a 'real Firefox ESR 31'.

DJ-Leith
So this is super weird scenario we find ourselves in. Adobe now states that the .287 release is also vulnerable [http://helpx.adobe.com/security/products/flash-player/apsa15-01.html] but, at the same time that it is the latest [http://www.adobe.com/software/flash/about/] so basically, there is no version of Flash at the moment that is not vulnerable.

Should I just update the plugin DB to reflect this or leave .287 marked as latest event though, technically, that is not the case.
Flags: needinfo?(jorge)
(In reply to Schalk Neethling [:espressive] from comment #10)
> Should I just update the plugin DB to reflect this or leave .287 marked as
> latest event though, technically, that is not the case.

Adobe updated apsa15-01 today to say they are rolling automatic updates out of a newer version to address that flaw, and that direct downloads will be available in a few days. My own machine is now on 16.0.0.296

The bulletin doesn't say anything about when updates for the 13.x or 11.2.202.x branches will be available.
Summary: Blocklist request for flash 0day affected version 16.0.0.257 → Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
fixed Adobe Flash Player versions were released here - https://www.adobe.com/products/flashplayer/distribution3.html

more info also here:
http://blogs.adobe.com/psirt/?p=1160

We can now blacklist all Flash Player versions under 16.0.0.296 for Windows & Mac and all Flash Player versions under 11.2.202.440 for Linux, as:

Affected software versions
    Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
    Adobe Flash Player 13.0.0.262 and earlier 13.x versions
    Adobe Flash Player 11.2.202.438 and earlier versions for Linux
(In reply to Virtual_ManPL [:Virtual] from comment #12)
> We can now blacklist all Flash Player versions under 16.0.0.296 for Windows & Mac

exclude Flash Player 13.0.0.264 (Extended Support Release) for Windows & Mac
Ok, I have updated the plugins database as follows:

Latest Win and Mac: 16.0.0.296
Latest Win and Mac ESR: 13.0.0.264

For Linux I cannot seem to find a version in which the vulnerabilities will be fixed so, all versions for Linux are marked as vulnerable. Will update the database with the latest, as soon as we know what the version number for the latest Linux release will be.
(In reply to Schalk Neethling [:espressive] from comment #14)
> For Linux I cannot seem to find a version in which the vulnerabilities will
> be fixed so, all versions for Linux are marked as vulnerable. Will update
> the database with the latest, as soon as we know what the version number for
> the latest Linux release will be.

The advisory said 11.2.202.438 was affected and there is now a .440 newly available. Although I can't find anywhere Adobe has said .440 is the fix, neither is there anywhere they've said it was affected. It would be safer to have plugincheck mark only .438 and below as vulnerable and .440 as the "latest" for Linux.
(In reply to Daniel Veditz [:dveditz] from comment #15)
> (In reply to Schalk Neethling [:espressive] from comment #14)
> > For Linux I cannot seem to find a version in which the vulnerabilities will
> > be fixed so, all versions for Linux are marked as vulnerable. Will update
> > the database with the latest, as soon as we know what the version number for
> > the latest Linux release will be.
> 
> The advisory said 11.2.202.438 was affected and there is now a .440 newly
> available. Although I can't find anywhere Adobe has said .440 is the fix,
> neither is there anywhere they've said it was affected. It would be safer to
> have plugincheck mark only .438 and below as vulnerable and .440 as the
> "latest" for Linux.

Thanks, I added the 440 release as latest for Linux
The following blocks have been staged:

Flash Player Plugin (ESR) 13.0.0.259 to 13.0.0.263 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p596

Flash Player Plugin on Linux 11.2.202.425 to 11.2.202.439 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p594

Flash Player Plugin 15.0.0.243 to 16.0.0.295 (click-to-play) 
https://addons-dev.allizom.org/en-US/firefox/blocked/p592

Juan, can you give these a try?
Flags: needinfo?(jorge) → needinfo?(jbecerra)
Keywords: qawanted
Just making sure, for Linux version blocklist it is OS=Linux so as to not have a repeat of Bug 1112086 where Flash was blocked in Android.
(In reply to james.bugzilla from comment #18)
> Just making sure, for Linux version blocklist it is OS=Linux so as to not
> have a repeat of Bug 1112086 where Flash was blocked in Android.

Yes, I took that into account, thanks.
This seems to have stalled. What steps remain, who gives the go-ahead? If we're waiting on someone who is unavailable (e.g. I'm at a conference this week and barely keeping up w/mail) who are the alternates?
Flags: needinfo?(lmandel)
Confirming versions blocked above with the advisory Adobe released yesterday:
http://helpx.adobe.com/security/products/flash-player/apsb15-03.html

(just a double-check that the fixed versions were consistent with the ones listed in the pre-fix bulletin)
My understanding from our conversation during yesterday's channel meeting is that we are waiting on a subsequent fix from Adobe. If the blocks that Jorge listed in comment 17 are good to go, I'm good to push these to production as soon as we verify that the blocks are good.
Flags: needinfo?(lmandel)
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #22)
> My understanding from our conversation during yesterday's channel meeting is
> that we are waiting on a subsequent fix from Adobe. If the blocks that Jorge
> listed in comment 17 are good to go, I'm good to push these to production as
> soon as we verify that the blocks are good.

No, the fixes are already available. This is only blocked on QA.
(In reply to Jorge Villalobos [:jorgev] from comment #17)
> The following blocks have been staged:
> 
> Flash Player Plugin (ESR) 13.0.0.259 to 13.0.0.263 (click-to-play)
> https://addons-dev.allizom.org/en-US/firefox/blocked/p596
> 
> Flash Player Plugin on Linux 11.2.202.425 to 11.2.202.439 (click-to-play)
> https://addons-dev.allizom.org/en-US/firefox/blocked/p594
> 
> Flash Player Plugin 15.0.0.243 to 16.0.0.295 (click-to-play) 
> https://addons-dev.allizom.org/en-US/firefox/blocked/p592
> 
> Juan, can you give these a try?

I tested these on staging and the older versions are now click-to-play. We can go ahead with pushing these to release.

This is what I tested below:
Platform
Version
Older Flash version status
New Flash version status

Win XP
ESR 31.4.0
File: NPSWF32_13_0_0_262.dll
Path: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_262.dll
Version: 13.0.0.262
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0

File: NPSWF32_13_0_0_264.dll
Path: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_264.dll
Version: 13.0.0.264
State: Enabled
Shockwave Flash 13.0 r0

Linux
34.0
File: libflashplayer.so
Path: /usr/lib/adobe-flashplugin/libflashplayer.so
Version: 11.2.202.425
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

File: libflashplayer.so
Path: /usr/lib/adobe-flashplugin/libflashplayer.so
Version: 11.2.202.440
State: Enabled
Shockwave Flash 11.2 r202

Win 7
35.0.1
Archivo: NPSWF32_15_0_0_246.dll
Ruta: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll
Versión: 15.0.0.246
Estado: Habilitado (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 15.0 r0

Archivo: NPSWF32_16_0_0_296.dll
Ruta: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll
Versión: 16.0.0.296
Estado: Habilitado
Shockwave Flash 16.0 r0

Mac
35.0.1
File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 16.0.0.240
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 16.0 d0

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 16.0.0.296
State: Enabled
Shockwave Flash 16.0 r0
Flags: needinfo?(jbecerra)
Blocked:

https://addons.mozilla.org/en-US/firefox/blocked/p828
https://addons.mozilla.org/en-US/firefox/blocked/p826
https://addons.mozilla.org/en-US/firefox/blocked/p824

Following Adobe's security bulletin, I adjusted the Windows block for a max version of 16.0.0.287 (previously 16.0.0.295). The others remained the same.
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 7 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 2015-02
(In reply to Jorge Villalobos [:jorgev] from comment #25)
> Blocked:
> 
> https://addons.mozilla.org/en-US/firefox/blocked/p828
> https://addons.mozilla.org/en-US/firefox/blocked/p826
> https://addons.mozilla.org/en-US/firefox/blocked/p824
> 
> Following Adobe's security bulletin, I adjusted the Windows block for a max
> version of 16.0.0.287 (previously 16.0.0.295). The others remained the same.

seems we need to change that text away from linking to plugincheck. We are currently seeing a spike in reuqests to the plugincheck db and so problems in the servers. Filed bug 1127268
Hardware: x86 → All
Summary: Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438 → (CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.