Closed Bug 1124654 Opened 10 years ago Closed 10 years ago

(CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
2015-02

People

(Reporter: cbook, Assigned: jorgev)

Details

(Keywords: sec-critical)

a 0-day was found in flash according to https://blog.malwarebytes.org/exploits-2/2015/01/new-adobe-flash-zero-day-found-in-the-wild/ and a update to version 16.0.0.287 was apparently done today. So i guess we need to blocklist older versions of flash due to the 0day like version 16.0.0.257 note: if we do the blocklist, could this be cordinated with schalk (:espressive) so we don't melt plugincheck again like last time when there was a flash 0day ? :)
Severity: normal → critical
OS: Mac OS X → All
Is there a CVE or other post that details which versions of Flash are affected?
Flags: needinfo?(dveditz)
Details: https://helpx.adobe.com/security/products/flash-player/apsb15-02.html This fixes _a_ bug that was exploited in the wild (CVE-2015-0310) but the advisory says they're still investigating reports of an exploit going around that works against the version released today. Given the timeline (reports yesterday, release today) I suspect this does not fix the one tested by malwarebytes. Do we have numbers on how fast uptake of 16.0.0.257 was for Firefox users? If Adobe is going to turn around and release yet another fix maybe we should hold the block until that one's available.
Flags: needinfo?(dveditz)
I don't think AMO gets any plugin stats. If we have anything, it would be from FHR or crash stats. Kris, do you know?
Flags: needinfo?(kmaglione+bmo)
If we do plan to block flash I would love a heads up so we can give advance notice to our Firefox ESR orgs as they did not take the last blocklist action very well.
No, we don't have plugin stats. FHR does have plugin data, but I don't know off hand if it's collated anywhere accessible. I can get the numbers, but it would involve a special query.
Flags: needinfo?(kmaglione+bmo)
(In reply to Daniel Veditz [:dveditz] from comment #2) > > Do we have numbers on how fast uptake of 16.0.0.257 was for Firefox users? > If Adobe is going to turn around and release yet another fix maybe we should > hold the block until that one's available. If my calculation is right: 16.0.0.257 4117291 67.40% 16.0.0.235 450278 7.37% NA 294840 4.83% 15.0.0.246 266698 4.37% 15.0.0.152 72735 1.19% 13.0.0.206 59977 0.98% 15.0.0.239 57196 0.94% 14.0.0.145 47584 0.78% 11.1.102.55 33752 0.55% 15.0.0.223 33127 0.54% Data for release on WINNT from telemetry (bug 939922 comment 7)
(In reply to Hector Zhao [:hectorz] from comment #6) > > If my calculation is right: > > 16.0.0.257 4117291 67.40% > ... To be clear, it's https://s3-us-west-2.amazonaws.com/telemetry-public-analysis/flash_versions/data/flash_versions20150121.csv.gz
> We are aware of reports that this vulnerability is being actively exploited in the > wild via drive-by-download attacks against systems running Internet Explorer and > Firefox on Windows 8 and below. > Adobe expects to have a patch available for CVE-2015-0311 during the week of January 26. http://helpx.adobe.com/security/products/flash-player/apsa15-01.html I think this needs immediate attention.
(In reply to Carsten Book [:Tomcat] from comment #0) > note: if we do the blocklist, could this be cordinated with schalk (:espressive) > so we don't melt plugincheck again like last time when there was a flash 0day ? :) In bug 1124656 I have tested that the Plugincheck Website https://www.mozilla.org/en-US/plugincheck/ is correctly detecting Flash 16.0.0.257 as "vulnerable". Using Release [Fx 35] and Aurora (AKA Fx Dev Ed) [Fx 37.0a2 (2015-01-23)] I do get the correct result – "vulnerable" – very good. However, using UA spoofing, I still have the wrong result for Fx 31. I am told Flash 16.0.0.257 is "Up to Date". The reason why is in bug 1124656. Can someone please test with a 'real Firefox ESR 31'. DJ-Leith
So this is super weird scenario we find ourselves in. Adobe now states that the .287 release is also vulnerable [http://helpx.adobe.com/security/products/flash-player/apsa15-01.html] but, at the same time that it is the latest [http://www.adobe.com/software/flash/about/] so basically, there is no version of Flash at the moment that is not vulnerable. Should I just update the plugin DB to reflect this or leave .287 marked as latest event though, technically, that is not the case.
Flags: needinfo?(jorge)
(In reply to Schalk Neethling [:espressive] from comment #10) > Should I just update the plugin DB to reflect this or leave .287 marked as > latest event though, technically, that is not the case. Adobe updated apsa15-01 today to say they are rolling automatic updates out of a newer version to address that flaw, and that direct downloads will be available in a few days. My own machine is now on 16.0.0.296 The bulletin doesn't say anything about when updates for the 13.x or 11.2.202.x branches will be available.
Summary: Blocklist request for flash 0day affected version 16.0.0.257 → Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
fixed Adobe Flash Player versions were released here - https://www.adobe.com/products/flashplayer/distribution3.html more info also here: http://blogs.adobe.com/psirt/?p=1160 We can now blacklist all Flash Player versions under 16.0.0.296 for Windows & Mac and all Flash Player versions under 11.2.202.440 for Linux, as: Affected software versions Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh Adobe Flash Player 13.0.0.262 and earlier 13.x versions Adobe Flash Player 11.2.202.438 and earlier versions for Linux
(In reply to Virtual_ManPL [:Virtual] from comment #12) > We can now blacklist all Flash Player versions under 16.0.0.296 for Windows & Mac exclude Flash Player 13.0.0.264 (Extended Support Release) for Windows & Mac
Ok, I have updated the plugins database as follows: Latest Win and Mac: 16.0.0.296 Latest Win and Mac ESR: 13.0.0.264 For Linux I cannot seem to find a version in which the vulnerabilities will be fixed so, all versions for Linux are marked as vulnerable. Will update the database with the latest, as soon as we know what the version number for the latest Linux release will be.
(In reply to Schalk Neethling [:espressive] from comment #14) > For Linux I cannot seem to find a version in which the vulnerabilities will > be fixed so, all versions for Linux are marked as vulnerable. Will update > the database with the latest, as soon as we know what the version number for > the latest Linux release will be. The advisory said 11.2.202.438 was affected and there is now a .440 newly available. Although I can't find anywhere Adobe has said .440 is the fix, neither is there anywhere they've said it was affected. It would be safer to have plugincheck mark only .438 and below as vulnerable and .440 as the "latest" for Linux.
(In reply to Daniel Veditz [:dveditz] from comment #15) > (In reply to Schalk Neethling [:espressive] from comment #14) > > For Linux I cannot seem to find a version in which the vulnerabilities will > > be fixed so, all versions for Linux are marked as vulnerable. Will update > > the database with the latest, as soon as we know what the version number for > > the latest Linux release will be. > > The advisory said 11.2.202.438 was affected and there is now a .440 newly > available. Although I can't find anywhere Adobe has said .440 is the fix, > neither is there anywhere they've said it was affected. It would be safer to > have plugincheck mark only .438 and below as vulnerable and .440 as the > "latest" for Linux. Thanks, I added the 440 release as latest for Linux
The following blocks have been staged: Flash Player Plugin (ESR) 13.0.0.259 to 13.0.0.263 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p596 Flash Player Plugin on Linux 11.2.202.425 to 11.2.202.439 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p594 Flash Player Plugin 15.0.0.243 to 16.0.0.295 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p592 Juan, can you give these a try?
Flags: needinfo?(jorge) → needinfo?(jbecerra)
Keywords: qawanted
Just making sure, for Linux version blocklist it is OS=Linux so as to not have a repeat of Bug 1112086 where Flash was blocked in Android.
(In reply to james.bugzilla from comment #18) > Just making sure, for Linux version blocklist it is OS=Linux so as to not > have a repeat of Bug 1112086 where Flash was blocked in Android. Yes, I took that into account, thanks.
This seems to have stalled. What steps remain, who gives the go-ahead? If we're waiting on someone who is unavailable (e.g. I'm at a conference this week and barely keeping up w/mail) who are the alternates?
Flags: needinfo?(lmandel)
Confirming versions blocked above with the advisory Adobe released yesterday: http://helpx.adobe.com/security/products/flash-player/apsb15-03.html (just a double-check that the fixed versions were consistent with the ones listed in the pre-fix bulletin)
My understanding from our conversation during yesterday's channel meeting is that we are waiting on a subsequent fix from Adobe. If the blocks that Jorge listed in comment 17 are good to go, I'm good to push these to production as soon as we verify that the blocks are good.
Flags: needinfo?(lmandel)
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #22) > My understanding from our conversation during yesterday's channel meeting is > that we are waiting on a subsequent fix from Adobe. If the blocks that Jorge > listed in comment 17 are good to go, I'm good to push these to production as > soon as we verify that the blocks are good. No, the fixes are already available. This is only blocked on QA.
(In reply to Jorge Villalobos [:jorgev] from comment #17) > The following blocks have been staged: > > Flash Player Plugin (ESR) 13.0.0.259 to 13.0.0.263 (click-to-play) > https://addons-dev.allizom.org/en-US/firefox/blocked/p596 > > Flash Player Plugin on Linux 11.2.202.425 to 11.2.202.439 (click-to-play) > https://addons-dev.allizom.org/en-US/firefox/blocked/p594 > > Flash Player Plugin 15.0.0.243 to 16.0.0.295 (click-to-play) > https://addons-dev.allizom.org/en-US/firefox/blocked/p592 > > Juan, can you give these a try? I tested these on staging and the older versions are now click-to-play. We can go ahead with pushing these to release. This is what I tested below: Platform Version Older Flash version status New Flash version status Win XP ESR 31.4.0 File: NPSWF32_13_0_0_262.dll Path: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_262.dll Version: 13.0.0.262 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 File: NPSWF32_13_0_0_264.dll Path: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_264.dll Version: 13.0.0.264 State: Enabled Shockwave Flash 13.0 r0 Linux 34.0 File: libflashplayer.so Path: /usr/lib/adobe-flashplugin/libflashplayer.so Version: 11.2.202.425 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 File: libflashplayer.so Path: /usr/lib/adobe-flashplugin/libflashplayer.so Version: 11.2.202.440 State: Enabled Shockwave Flash 11.2 r202 Win 7 35.0.1 Archivo: NPSWF32_15_0_0_246.dll Ruta: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll Versión: 15.0.0.246 Estado: Habilitado (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 15.0 r0 Archivo: NPSWF32_16_0_0_296.dll Ruta: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll Versión: 16.0.0.296 Estado: Habilitado Shockwave Flash 16.0 r0 Mac 35.0.1 File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 16.0.0.240 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 16.0 d0 File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 16.0.0.296 State: Enabled Shockwave Flash 16.0 r0
Flags: needinfo?(jbecerra)
Blocked: https://addons.mozilla.org/en-US/firefox/blocked/p828 https://addons.mozilla.org/en-US/firefox/blocked/p826 https://addons.mozilla.org/en-US/firefox/blocked/p824 Following Adobe's security bulletin, I adjusted the Windows block for a max version of 16.0.0.287 (previously 16.0.0.295). The others remained the same.
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 10 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 2015-02
(In reply to Jorge Villalobos [:jorgev] from comment #25) > Blocked: > > https://addons.mozilla.org/en-US/firefox/blocked/p828 > https://addons.mozilla.org/en-US/firefox/blocked/p826 > https://addons.mozilla.org/en-US/firefox/blocked/p824 > > Following Adobe's security bulletin, I adjusted the Windows block for a max > version of 16.0.0.287 (previously 16.0.0.295). The others remained the same. seems we need to change that text away from linking to plugincheck. We are currently seeing a spike in reuqests to the plugincheck db and so problems in the servers. Filed bug 1127268
Hardware: x86 → All
Summary: Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438 → (CVE-2015-0311) Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.