Closed Bug 1124656 Opened 10 years ago Closed 10 years ago

Update plugincheck to flash 16.0.0.287

Categories

(Plugin Check Graveyard :: General, defect)

Product:
Plugin Check Graveyard
Component:
General
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: cbook, Unassigned)

Details

a 0-day was found in flash according to https://blog.malwarebytes.org/exploits-2/2015/01/new-adobe-flash-zero-day-found-in-the-wild/ and a update to version 16.0.0.287 was apparently done today so we need to update plugincheck too.
and production update done - updated the versions for linux mac and windows. We might need to add the advisory url and the esr version of flash later when the advisory is online for this release which is not yet currently.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Test results: Fx 31 is still reporting Flash 16.0.0.257 as "Up to Date". Test done by UA spoof. Why? because I don't have Firefox ESR but I think Firefox ESR will have the User Agent: > Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31 See "User Agent for Firefox ESR", in the References (below). > From May 2014: > Release (and older version of Firefox) has been using enumeration and the 'dynamic URLs'. > Beta + (as I write Fx 35, Fx 36 and Fx 37) uses the 'JSON List' (from bug 956905). Source is bug 938885 comment # 53 - I don't think that the 'version has been bumped on' and I think that Fx 35 (i.e. Release) is using the 'JSON List'. Schalk Neethling [:espressive] can correct me on this. Next is the 'dynamic URL' that includes the 'stale data' that was used during the visit to do a 'plugincheck' today. This explains HOW I have had the 'wrong report for Flash 16.0.0.257'. https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=31&appVersion=20150108202552&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C > 'releases': { > 'latest': [ > { > 'id': '4', > 'pfs_id': 'adobe-flash-player', > 'name': 'Adobe Flash Player', > 'vendor': 'Adobe', > 'url': 'http://www.adobe.com/go/getflashplayer', > 'icon_url': 'http://www.adobe.com/macromedia/style_guide/logos/flash_enabled/images/flash_enabled_logo_horizont_s.jpg', > 'license_url': 'http://www.adobe.com/go/eula_flashplayer', > 'modified': '2015-01-14T18:21:03+00:00', > 'created': '2015-01-14T18:21:03+00:00', > 'plugin_id': '1', > 'os_id': '3', > 'platform_id': '4', > 'status': 'latest', > 'version': '16.0.0.257', > 'detected_version': '16.0.0.257', > 'detection_type': '*', > 'os_name': 'win', > 'app_id': '*', > 'app_release': '*', > 'app_version': '*', > 'locale': '*', > 'fetched': '2015-01-20T11:13:21-08:00', > 'relevance': 3 Note: The most important point is > 'fetched': '2015-01-20T11:13:21-08:00', the data was 'fetched (and cached?)' before Carsten Book [:Tomcat] on 2015-01-22 at 06:07:46 PST added Flash "16.0.0.287" to the Pluginchech Database (in comment # 1). It would be good to do a test with a 'real Firefox ESR 31', using Flash "16.0.0.257", before the Blocklist is done: Bug 1124654 "Blocklist request for flash 0day affected version 16.0.0.257". Good news: Fx 35 and Fx 37.0a2 (2015-01-23) give the correct result, Flash 16.0.0.257 is correctly reported as "vulnerable". I think both Fx 35 and Fx 37 use the 'JSON List' method to get the data from the 'Plugincheck Database' when visiting the 'Plugincheck Website'. References: Bug 1121294 "Update current Flash versions in plugincheck to reflect 2015-01-13 releases" In this bug Flash 16.0.0.257 was added to the Plugincheck Database. Schalk Neethling [:espressive] did this on 2015-01-14 at 02:22:23 PST (see bug 1121294 comment # 1). This is the 'data that is being fetched by the dynamic URL' (above) that is now 'stale data that should no longer be used' - if we want an accurate report. Bug 1117195 "After updating the Plugincheck Database the Plugincheck Website should use the new data within Minutes NOT Days" This has a chronology, from December 2014, that documents what happened when users went to 'do a plugincheck' after the previous 'Flash Blocklist' (bug 1109795). Six days after the Plugincheck Database had been updated the wrong data was still being used by the 'dynamic URLs'. The 'JSON List' was able to get the 'fresh data' to the Plugincheck Website in two days. So, for many days, users were told that their Flash was "Up to Date" in Error. Bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7" This has more detail about the 'dynamic URLs' that seem to 'cached for a very long time' or provide 'stale data' when a user visits the Plugincheck Website. User Agent for Firefox ESR see: Bug 1110923 Old summary: "Looks like you’re using an older version of Firefox" New summary: "Use the self support APIs to obtain a real version number rather than relying on the UA" The user has Fx ESR but was getting a 'confusing message' when he was doing a plugincheck: > Go to: > 'https://www.mozilla.org/en-US/plugincheck/' > > Actual results: > > Page says: > "Looks like you’re using an older version of Firefox" See bug 956905 comment # 148 onwards "Publish JSON list of all plugins for use on /plugincheck" for an introduction and background to all of the above. DJ-Leith
You need to log in before you can comment on or make changes to this bug.