Plugincheck - Improve Adobe Reader plugin reporting

RESOLVED FIXED

Status

Plugin Check
General
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: DJ-Leith, Assigned: espressive)

Tracking

Details

Attachments

(5 attachments)

(Reporter)

Description

3 years ago
Created attachment 8592419 [details]
Plugincheck-Fx-39-Reader-WRONG-Flash-Correct-2015-04-14.png

"Plugincheck-Fx-39-Reader-WRONG-Flash-Correct-2015-04-14.png"

Yesterday, 2015-04-13, Adobe Reader 11.0.10.32 was correctly shown as "Up to Date".
Today, 2015-04-14, it is shown as "vulnerable".

See the attached screenshot.
The result for Flash is correct [see Bug 1154397 (to add Flash 17.0.0.169)].
The result for Reader is wrong.

AFAICT, Adobe have not released a new version.

See
Recent Adobe
Security Bulletins and Advisories
https://helpx.adobe.com/security.html
where it is NOT mentioned.

All Adobe Acrobat Security Bulletins
https://helpx.adobe.com/security/products/acrobat.html
also does not have a Security Bulletin for Reader in April 2015.

In Adobe Reader, Help, "Check for updates..."
says
"No updates available"

I can not find a bug in Bugzilla to add a new version of 'Adobe Reader'
to the Plugincheck Database.

Schalk,
I hope this is not bug 1020133 "Improve Adobe Acrobat plugin reporting"
so I have filed a new bug.


Recent Plugincheck bugs include:
Bug 1154397 (to add Flash 17.0.0.169 to the Plugincheck Database on 2015-04-14)

Bug 1153448 "L10N Plugincheck, locale missing, en-GB has become en-US"
The screenshot (above) also shows what happens when I try and use
https://www.mozilla.org/en-GB/plugincheck/
I am redirected to
https://www.mozilla.org/en-US/plugincheck/

DJ-Leith
(Assignee)

Comment 1

3 years ago
Did anything on the DB side change Matt?
Flags: needinfo?(mgrimes)
(Reporter)

Comment 2

3 years ago
Created attachment 8592800 [details]
Plugincheck-Fx-37-0-1-Reader-WRONG-Flash-Correct-2015-04-15.png

As in bug 938885 comment # 59,
I have used a new Profile, on Firefox 37.0.1 Release, to do tests without any Addons.

> STR
> 
> Windows 7 64bit OS, Firefox 37 Release (32bit), en-GB.
> 
> 1. Fresh profile.
>     Do not add ANY Addons.
>     As the Plugins are 'machine wide' I have several that I can test.
> 
> 2. Start Firefox, get first run etc.
> 3. Close Firefox.
> 
> Repeat 2 and 3 several times (to finish 'first run / fresh Firefox profile').
> 
>   I did steps 1-3 today to eliminate any of my Addons from confounding the tests.
>   All my 'normal tests', previously reported in Bugzilla,
>   have been on 'test Profiles that have been in use for months'.
> 
> 
> 4. Visit
> 
> https://www.mozilla.org/en-US/plugincheck
I did this
> The way a 'User is expected to do this' is:
> in "about:addons", at the top of the "Plugins" Tab.
> If you 'click the link' "Check to see if your plugins are up to date".

I was redirected to:
https://www.mozilla.org/en-US/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update


"Plugincheck-Fx-37-0-1-Reader-WRONG-Flash-Correct-2015-04-15.png"
See the attached screenshot.
The result for Flash is correct [see Bug 1154397 (to add Flash 17.0.0.169)].
The result for Reader is wrong.

I have deliberately NOT updated Flash, so that I have a vulnerable version to
test bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"
(see bug 1084537 comment # 36).

I have also tested

https://www.mozilla.org/de/plugincheck/
https://www.mozilla.org/fr/plugincheck/
https://www.mozilla.org/it/plugincheck/

I cleared all cookies and repeated (using <Crtl>+<Shift>+<R> to reload without cache).

All have the 'wrong result' for Reader.

I also reverified steps 4 to 8 (on en-US),
from bug 938885 comment # 59,
clearing all cookies and cache each time.
> 5. In "about:config" search for "plugins"
> and modify "plugins.enumerable_names"
> from the default "*" which means 'enumerate all plugins'
> to "Shockwave" which means 'test my Flash plugin' in this context.
> 
> 6.  Do another Plugincheck.  ONLY Flash will be 'tested and reported on'.
> 
> 7.  Modify "plugins.enumerable_names" to "" (empty string).
> 
> 8.  Do another Plugincheck.
> Now, because NO plugins are being enumerated,
> NO tests are done and NO 'results are shown'.

Schalk,
This does, I fear, look like
bug 1020133 "Improve Adobe Acrobat plugin reporting".

On 2014-11-24 at 23:58:48 PST Schalk Neethling [:espressive]
in bug 1020133 comment # 85 said:
> Improvements to this has landed on production. Please give it a whirl and let
> me know your feedback. Just one important note, please keep feedback here
> related to Adobe Reader/Acrobat only.

On 2014-11-20, in bug 1102198 comment # 2 there is a Bedrock pull request mentioned.
See my comment in bug 1102198 comment # 3, where STAGE and LIVE have different results.
Then
on 2014-11-24, in bug 1102198 comment # 4:
> Commits pushed to master at https://github.com/mozilla/bedrock.

It is only since then that I have seen:

A. The 'JSON List' method REQUIRES "plugins.enumerable_names" set to "*"
B. The 'JSON List' method has "unknown" plugins reported - GOOD.
On the LIVE sites.

DJ-Leith
Flags: needinfo?(schalk.neethling.bugs)

Comment 3

3 years ago
Actually, Adobe has released not one, but two new versions of Reader.  The new versions of Reader are called Adobe Acrobat Reader DC, and they have two different release tracks, Classic and Continuous (see http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/whatsnewdc.html for discussions of the new tracks).  Check for updates in Reader XI won't find the new version because of the name/version number change.  The version numbers are different depending on what track's installed - the current Classic version is 2015.006.30033, while the current Continuous version is 2015.007.20033 (not sure on the hidden change list field version - I did Help | About, but it didn't show that in my install).  I have the current Classic version installed, as I ran the plugin check yesterday, saw Reader was out of date, poked around, and saw what was going on with the new Acrobat Reader DC versions.  

The plugin for the Classic version is 15.6.30033.2205, according to what the plugin check is showing me.  Unfortunately, the plugin check is saying that's out of date, when it isn't.  I did double check Adobe's FTP site to make sure I still had the latest version when I was finding those version numbers, and I'm current.
(Reporter)

Comment 4

3 years ago
Created attachment 8594407 [details]
Adobe-Reader-PFS-BUG-1154431-with-line-numbers-scratchpad-2015-04-18.txt

"Adobe-Reader-PFS-BUG-1154431-with-line-numbers-scratchpad-2015-04-18.txt"
I will comment on this attached file in comment # 5 - below.

1 of 4.

FAO those who can edit the Plugincheck Database.

Please review the Database in light of the evidence provided
in this comment and the following three.

If you are unfamilliar with the 'Plugincheck Service',
there is a short reminder of 'how we got here' in
bug 938885 comment # 53.

Longer introduction, with background,
see bug 956905 comment # 148 onwards.


(In reply to Jenn Scott from comment #3)
Jenn, that is useful information.

So here are the URLs, as seen from UK, about Adobe's new software.

"Adobe Document Cloud /"
"Adobe Acrobat Reader DC"
https://acrobat.adobe.com/uk/en/products/pdf-reader.html

> The all-new Reader. For your all-important documents.
> Work with PDFs on any device.
" ... Do more with the leading PDF viewer. ..."
So, it seems to me a replacement for the 'Reader' - that can VIEW PDFs.

From the URL (in comment # 3) that Jenn Scott cited:
http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/whatsnewdc.html
> ... The Classic track is similar to the 10.x-11.x model and does
> not provide new features in updates.


Next, is the software to edit PDFs (costs money).

"Adobe Document Cloud /"
"Adobe Acrobat DC"
https://acrobat.adobe.com/uk/en/acrobat.html

Adobe have kept the understanding 'Acrobat means edit' that they have used
for many years (in bug 1020133 "Improve Adobe Acrobat plugin reporting" there
was quite a lot of discussion on the use of the name "Acrobat").


However, I still do not see any published Security Bulletin
(from Adobe - see comment # 0 - checked again today) that would advise
users of "Adobe Reader 11.0.10.32" that they should update.

Adobe did publish Security Bulletins
for Flash, Cold Fusion and Flex on 2015-04-14. 

Adobe Reader might be vulnerable, see bug 1117189 comment # 4:
> ... ...
> I anticipate that Adobe will shortly be updating Reader to mitigate bugs
> that were found at Pwn2Own 2015.
> 
> https://threatpost.com/all-major-browsers-fall-at-pwn2own-day-2/111731
> by Chris Brook
> March 20, 2015, 11:26 am
> 
> The blog post ends:
> ... ...
> > With Pwn2Own, a hacking competition hosted by HP's Zero Day Initiative
> > and Google's Project Zero, drawing to a close the final tally for bugs
> > over the past two days is as follows:
> > 
> >   * Microsoft Windows: 5 bugs
> >   * Microsoft IE 11: 4 bugs
> >   * Mozilla Firefox: 3 bugs
> >   * Adobe Reader: 3 bugs
> >   * Adobe Flash: 3 bugs
> >   * Apple Safari: 2 bugs
> >   * Google Chrome: 1 bug
> >   * $442,500 paid out to researchers
> 
> So, I would like to test and verify that plugincheck correctly reports 
> Adobe Reader "11.0.9.29" as "vulnerable" - and then update Reader to a
> less vulnerable version.
> 
> https://helpx.adobe.com/security/products/reader.html
> 
> DJ-Leith



It would be good to know why the 'Plugincheck Service' is
now reporting "Adobe Reader 11.0.10.32" as "vulnerable".

Since May 2015, when the 'JSON List' was enabled, we could
only use the 'new plugincheck that used the JSON List' for
Firefox Beta, Aurora and Nightly.

Firefox Release still used the 'old plugincheck' which used the
Plugin Finder Service (PFS) [AKA the dynamic URLs].
As each version of Firefox was Released the
'code to detect the version by UA' was updated.

The MOST COMMON inaccurate report, by the 'Plugincheck that
used the JSON List method of getting data from the
Plugincheck Database' to then 'do the Plugincheck Test
at the Plugincheck Website using the data in the JSON List'
was about the Adobe Reader plugin.

In particular, when Windows PCs visited the 'Plugincheck Website',
the PFS did NOT 'return data about Mac plugins'.

On the other hand, the 'JSON List' had data about
BOTH Mac and Windows plugins.  The 'test of the plugin
against the JSON List' seemed to 'use data about Mac plugins'
when it should NOT, and so give the 'wrong report'.


***
As far as I can tell, from reading in Bugzilla (in public bugs),
the change to the 'Plugincheck Service', seen in this bug, is 'unexpected'.
This is why Schalk Neethling [:espressive] in comment # 1 asked:
> Did anything on the DB side change Matt?
***


AFAICT, the most recent changes to the Plugincheck Database
(about Adobe Reader) is bug 1117189.

On 2015-03-23 (bug 1117189 comment # 7) the Database was updated.
I could see 'correct report for Reader' on 2015-03-23.

I used Plugincheck daily from 2015-03-23 onwards.
I first saw an 'incorrect report for Reader', after 2015-03-23,
on 2015-04-14 (comment # 0).

DJ-Leith
Flags: needinfo?(rmcguigan)
(Reporter)

Comment 5

3 years ago
Created attachment 8594408 [details]
Flash-plugincheck-BUG-1084537-JSON-List-with-line-numbers-scratchpad-2015-04-10.txt

"Flash-plugincheck-BUG-1084537-JSON-List-with-line-numbers-scratchpad-2015-04-10.txt"
I will comment on this attached file in comment # 6 - below.

2 of 4.

Have there been changes to the 'Plugincheck Database'?

I can't see the 'Plugincheck Database'.

The 'JSON List' does NOT include any data about 'when the data was
extracted from the Database and put into the JSON List'.

See bug 1105483
"Add a 'Generated' Date and Time stamp to the top of the 'Plugincheck JSON List'"
I still think that bug would help to debug the 'Plugincheck Service'.

However, the PFS data (which tended to give more accurate results for Reader)
BUT which sometimes had 'stale data'
(see bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7")
DOES have data about 'when the Database records are Created and Modified'
as well as when the data was "fetched" by the PFS.

See "Adobe-Reader-PFS-BUG-1154431-with-line-numbers-scratchpad-2015-04-18.txt"
attached to comment # 4:
https://bug1154431.bugzilla.mozilla.org/attachment.cgi?id=8594407

Comments:

Is the 'data fresh'?
> 0046         'fetched': '2015-04-18T12:24:11-07:00',
Yes, when I checked it was about 5 min old – GOOD.
It has taken some time for me to look at the data,
add the line numbers, and draft these posts.

Does it contain data about 'Adobe Reader 11.0.10.32'?
Yes, remember you only need the "11.0.10" and not the ".32" at the end.

Here it is:
> 0023   'releases': {
> 0024     'latest': [
> 0025       {
> 0026         'id': '4',
> 0027         'pfs_id': 'adobe-reader',
> 0028         'name': 'Adobe Reader',
> 0029         'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 0030         'vendor': 'Adobe',
> 0031         'url': 'http://get.adobe.com/reader/',
> 0032         'modified': '2015-04-14T21:49:54+00:00',
> 0033         'created': '2014-12-12T16:35:56+00:00',
> 0034         'plugin_id': '2',
> 0035         'os_id': '3',
> 0036         'platform_id': '4',
> 0037         'status': 'latest',
> 0038         'version': '11.0.10',
> 0039         'detected_version': '11.0.10',
> 0040         'detection_type': '*',
> 0041         'os_name': 'win',
> 0042         'app_id': '*',
> 0043         'app_release': '*',
> 0044         'app_version': '*',
> 0045         'locale': '*',
> 0046         'fetched': '2015-04-18T12:24:11-07:00',
> 0047         'relevance': 3

Note it was Modified AFTER I did the test on 2015-03-23!
> 0032         'modified': '2015-04-14T21:49:54+00:00',
> 0033         'created': '2014-12-12T16:35:56+00:00',

Also, as it is the "latest" plugin there is NO "vulnerability_url".

Is there data about 'Adobe Reader 11.0.9.'?
NO, but there is data about "11.0.09"!

Here it is:
> 0486         'id': '4',
> 0487         'pfs_id': 'adobe-reader',
> 0488         'name': 'Adobe Reader',
> 0489         'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 0490         'vendor': 'Adobe',
> 0491         'url': 'http://get.adobe.com/reader/',
> 0492         'modified': '2015-04-14T21:49:54+00:00',
> 0493         'created': '2014-12-12T16:35:12+00:00',
> 0494         'plugin_id': '2',
> 0495         'os_id': '3',
> 0496         'platform_id': '4',
> 0497         'status': 'vulnerable',
> 0498         'vulnerability_description': 
'These updates address vulnerabilities that could potentially allow an 
attacker to take over the affected system.',
> 0499         'vulnerability_url': 'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 0500         'version': '11.0.09',
> 0501         'detected_version': '11.0.09',
> 0502         'detection_type': '*',
> 0503         'os_name': 'win',
> 0504         'app_id': '*',
> 0505         'app_release': '*',
> 0506         'app_version': '*',
> 0507         'locale': '*',
> 0508         'fetched': '2015-04-18T12:24:11-07:00',
> 0509         'relevance': 3

Again, this was Modified after 2015-03-23 when I had the 'correct result', "vulnerable"
for Adobe Reader "11.0.9.29".

See bug 1117189 comment # 8 (on 2015-03-23 at 17:51:51 PDT): 
> Now report Adobe Reader "11.0.9.29" as "vulnerable" - correct!
> 
> Thank you for sorting this rmcguigan.
> 
> DJ-Leith

In the PFS data the plugin has been modified on 2015-04-14
AND the data is WRONG - it should be "11.0.9" (not "11.0.09").
> 0492         'modified': '2015-04-14T21:49:54+00:00',
> 0493         'created': '2014-12-12T16:35:12+00:00',

That is the 'main point' of bug 1117189.


Is there data about "mac"?
NO, the PFS URL is 'asking about', has parameters that select for,
"... clientOS=Windows ..." and NO mac data is returned.

This is 'what I would expect': it is correct to NOT send Mac data
using this 'PFS URL'.

DJ-Leith
(Reporter)

Comment 6

3 years ago
Created attachment 8594410 [details]
Fx-UA-36-JSON-List-with-line-numbers-scratchpad-2015-04-17.txt

"Fx-UA-36-JSON-List-with-line-numbers-scratchpad-2015-04-17.txt"
I will comment on this attached file in comment # 7 - below.

3 of 4.

Looking at the 'JSON List' from 2015-04-10
(I was doing lots of tests and I just happend to collect a 'JSON List' then) see:
"Flash-plugincheck-BUG-1084537-JSON-List-with-line-numbers-scratchpad-2015-04-10.txt"
attached to comment # 5 as
https://bug1154431.bugzilla.mozilla.org/attachment.cgi?id=8594408


Data is, AFAICT, reasonably fresh.

>     ***    We do NOT know when the 'JSON List' was generated (see bug 1105483
>     ***    "Add a 'Generated' Date and Time stamp to the top of the 'Plugincheck JSON List' ")
>     ***      However, line 0550 shows Flash 17.0.0.134 which was added
>     ***      on 2015-03-13 at 11:17:04 PDT (bug 1143079).
> 0009  jQuery111008872308988399221_1428693762207({
> 0010    'plugins': {

We see:

Reader for Windows "11.0.09" WRONG.
> 1888                'status': 'vulnerable',
> 1889                'vulnerability_description': 
'These updates address vulnerabilities that could potentially 
allow an attacker to take over the affected system.',
> 1890                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 1891                'version': '11.0.09',
> 1892                'detected_version': '11.0.09',
> 1893                'detection_type': '*',
> 1894                'os_name': 'win',
> 1895                'platform': {
> 1896                  'app_id': '*',
> 1897                  'app_release': '*',
> 1898                  'app_version': '*',
> 1899                  'locale': '*'

We also Reader for Mac:
> 2145                'status': 'vulnerable',
> 2146                'vulnerability_description': 
'These updates address vulnerabilities that could potentially 
allow an attacker to take over the affected system.',
> 2147                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 2148                'version': '11.0.09',
> 2149                'detected_version': '11.0.09',
> 2150                'detection_type': '*',
> 2151                'os_name': 'mac',
> 2152                'platform': {
> 2153                  'app_id': '*',
> 2154                  'app_release': '*',
> 2155                  'app_version': '*',
> 2156                  'locale': '*'

We ALSO see the 'nearly correct' data for
'Reader for Windows'.
> 1876                'version': '11.0.9.29',
should be, I think - if it were correct – be:
> 1876                'version': '11.0.9',
without the trailing ".29"

The whole block is:
> 1873                'status': 'vulnerable',
> 1874                'vulnerability_description': 
'These updates address vulnerabilities that could potentially 
allow an attacker to take over the affected system',
> 1875                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 1876                'version': '11.0.9.29',
> 1877                'detected_version': '11.0.9.29',
> 1878                'detection_type': 'original',
> 1879                'os_name': 'win',
> 1880                'platform': {
> 1881                  'app_id': '*',
> 1882                  'app_release': '*',
> 1883                  'app_version': '*',
> 1884                  'locale': '*'


Here is a section about a mac plugin "11.0.9.29".

> 2130                'status': 'vulnerable',
> 2131                'vulnerability_description': 
'These updates address vulnerabilities that could potentially 
allow an attacker to take over the affected system',
> 2132                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 2133                'version': '11.0.9.29',
> 2134                'detected_version': '11.0.9.29',
> 2135                'detection_type': 'original',
> 2136                'os_name': 'mac',
> 2137                'platform': {
> 2138                  'app_id': '*',
> 2139                  'app_release': '*',
> 2140                  'app_version': '*',
> 2141                  'locale': '*'

So, on 2015-04-10 we had "11.0.9" data, for Windows,
and (from 2015-03-23 until 2015-04-14) the 'correct result' for
Reader "11.0.9.29" being declared "vulnerable".

DJ-Leith
(Reporter)

Comment 7

3 years ago
4 of 4.

Looking at the 'JSON List' at is was on 2015-04-17.

"Fx-UA-36-JSON-List-with-line-numbers-scratchpad-2015-04-17.txt"
attachd to comment # 6 as
https://bug1154431.bugzilla.mozilla.org/attachment.cgi?id=8594410


Data is, AFAICT, reasonably fresh.
>            ***    We do NOT know when the 'JSON List' was generated (see bug 1105483
>            ***    "Add a 'Generated' Date and Time stamp to the top of the 'Plugincheck JSON List' ")
>            ***      However, line 0592 shows Flash 17.0.0.169 which was added
>            ***      on 2015-04-14 at 11:59:33 PDT (bug 1154397).
> 0009 {
> 0010   'plugins':


I would hope to see Flash 17.0.0.134.
It is NOT there (but 17.0.0.169 is).

My understanding that is that 'as each plugin is added',
e.g. Flash 17.0.0.169,
the previous AND NOW VULNERABLE plugin has its record Modified.

The "vulnerability_url" for 17.0.0.134 should be added.
i.e.
https://helpx.adobe.com/security/products/flash-player/apsb15-06.html


rmcguigan on 2015-04-14 at 11:59:33 PDT in bug 1154397 comment # 3 said:
> Correction:
> Latest -> Adobe Flash Player 17.0.0.169 (win & mac) 
> Latest-> 11.2.202.457 (lin)
> 
> Vulnerable-> 17.0.0.134(win & mac)
> Vulnerable-> 11.2.202.451(lin) (edit) 

You will also find
BOTH 11.0.09 which is WRONG for Windows
and
11.0.9 (but entered as "11.0.9.29")
as we saw in comment # 6 - above.

The line numbers are different (expectd as the 'JSON List' has more data).
Search the txt file youself.

Please review the Plugincheck Database.

DJ-Leith
https://helpx.adobe.com/security/products/reader/apsb15-10.html-> vulnerability url was added
Flags: needinfo?(rmcguigan)
(Reporter)

Comment 9

3 years ago
In bug 1154410 comment # 5 Mark Schmidt (:marksc) on 2015-05-01 at 11:04:22 PDT wrote: 

> Note: That page is updated much more frequently than bugzilla would suggest.
> The current change process for that page is very informal. This will likely change
> for the better in the near future.

I think "That page", in the above comment, is 'the Plugincheck Database'.

I think a more formal record, of changes to the Plugincheck Database,
would be a good idea.

(In reply to rmcguigan from comment #8)
> https://helpx.adobe.com/security/products/reader/apsb15-10.html-> vulnerability url was added

Thank you, rmcguigan, for adding the data and documenting the addition.
However, on doing some further reading I am not sure what comment # 8 means.
  I now think you are pointing out that Adobe will be
  making an announcement soon.


To start with I 'made a wild guess' and thought:

A.'Adobe have announced a vulnerability and have recommended a new version'
AND also

B. 'rmcguigan has added this new version to the Plugincheck Database'
AND also

C. Some of the existing versions, in the Plugincheck Database, have had
the above 'vulnerability URL' added to their records.

I now think none of 'my reading of the comment' is correct.


I have looked at the "Prenotification Security Advisory for Adobe Reader"

https://helpx.adobe.com/security/products/reader/apsb15-10.html

> Prenotification Security Advisory for Adobe Reader
> 
> Release date: May 7, 2015
> 
> Vulnerability identifier: APSB15-10
> 
> Priority: See table below
> 
> Platform: Windows and Macintosh
> 
> Summary
> 
> Adobe is planning to release security updates on
> Tuesday, May 12, 2015 for Adobe Reader for Windows and Macintosh.

My understanding is now:

1. In the near future, on 2015-05-12, Adobe will announce
that Reader is "vulnerable" and 'what version to update to'.

I expected this:
  See bug 1117189 comment # 4,  DJ-Leith 2015-03-21 07:32:42 PDT
  and comment # 3 (2015-04-18 03:43:01 PDT), above in this bug,
  where Jenn Scott told us about 'new versions of Reader' which
  MIGHT well be the versions that Adobe will, in the near future,
  be advising are the
  'versions to use in place of the vulnerable version'.

2. Until we have Adobe's recommendation we do NOT KNOW which
version to add to the 'Plugincheck Database'.

3. When we know, we should carefully review the data in the
'Plugincheck Database' about 'Adobe Reader'.

In this review please can you, in addition to any other checks
you might make, also do the following:

MODIFY records about "11.0.9.29"
See comment # 6
> 1876                'version': '11.0.9.29',
> 1877                'detected_version': '11.0.9.29',
> 1878                'detection_type': 'original',
> 1879                'os_name': 'win',

> 2133                'version': '11.0.9.29',
> 2134                'detected_version': '11.0.9.29',
> 2135                'detection_type': 'original',
> 2136                'os_name': 'mac',

These should be "11.0.9.0" (the .29 at the end is 'too specific').

DELETE any data about "11.0.09"
See bug 1117189
"Plugincheck Database - Review and correct
Adobe Reader 11.0.9 vs 11.0.09 ("nppdf32.dll" is "11.0.9.29")"

We saw, comment # 5, the PFS (on 2015-04-18) showed this:

> 0492         'modified': '2015-04-14T21:49:54+00:00',
> 0493         'created': '2014-12-12T16:35:12+00:00',

> 0500         'version': '11.0.09',
> 0501         'detected_version': '11.0.09',
> 0502         'detection_type': '*',
> 0503         'os_name': 'win',

> 0508         'fetched': '2015-04-18T12:24:11-07:00',


We saw, comment # 6, the 'JSON List' STILL had:  

> 1891                'version': '11.0.09',
> 1892                'detected_version': '11.0.09',
> 1893                'detection_type': '*',
> 1894                'os_name': 'win',
> 1895                'platform': {

> 2148                'version': '11.0.09',
> 2149                'detected_version': '11.0.09',
> 2150                'detection_type': '*',
> 2151                'os_name': 'mac',

This data is STILL in the 'JSON List' when I looked today.
https://bug1154397.bugzilla.mozilla.org/attachment.cgi?id=8604174
> 0008  */
>            *** Thirty lines added here
>            ***
>            ***  URL: https://plugins.mozilla.org/en-us/plugins_list.json
>            ***    Date: 2015-05-11  Time: approx 12:30 BST, (2015-05-11 04:30:00 PDT)
>            ***  Browser: Fx Aurora (AKA Firefox Development Edition) 39.0a2 (2015-05-10)

> 1826               'version': '11.0.09',
> 1827               'detected_version': '11.0.09',
> 1828               'detection_type': '*',
> 1829               'os_name': 'win',

> 2070               'version': '11.0.09',
> 2071               'detected_version': '11.0.09',
> 2072               'detection_type': '*',
> 2073               'os_name': 'mac',


ADD records for 'the version Adobe now recommend'
and ensure that the 'vulnerability URL' is added to the
records for versions that are 'now known to be vulnerable'.


For the record, the 'JSON List' as seen
Date: 2015-05-11 Time: approx 12:30 BST, (2015-05-11 04:30:00 PDT)
does NOT contain "apsb15-10.html".

Had all three steps (A B and C - above) been done, on 2015-05-09
(as I thought *wrongly* they had been done - when I first read comment # 8),
then I would expect to find "apsb15-10.html" in the 'JSON List' by
the time I looked on Monday.


FAO Mark Schmidt
I am 'just making suggestions', you should be making the decisions.
I have added a needinfo in case you have not seen this bug.

DJ-Leith
Flags: needinfo?(mschmidt)

Comment 10

3 years ago
Same here on Windows 7: Adobe Reader XI (v11.0.11) is installed, which appears to be the latest version as of 2015-05-12: https://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

And about:plugins in this Firefox 38.0.1 instance says:

==========================
    File: nppdf32.dll,nppdf32.dll
    Path: C:\Program Files\Adobe\Reader 11.0\Reader\browser\nppdf32.dll,C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
    Version: 11.0.11.18
    State: Enabled
    Adobe PDF Plug-In For Firefox and Netscape 11.0.11
==========================

Yet Plugin Check disagrees and says "outdated, 11.0.11.18" - and points me to https://get.adobe.com/reader/ where one can install "Adobe Acrobat Reader DC", Version 2015.007.20033

Updated

2 years ago
Flags: needinfo?(mgrimes)

Comment 11

2 years ago
I can confirm what Christian Kujau said: 
-Adobe Reader version 11.0.11.18 is the latest of the 11.x versions
-It is not reported by Adobe to be vulnerable, to the best of our knowledge
-When running this version and using the "Check for Updates..." function, Adobe Reader reports: "No updates available."

So the plugin check wrongly reports this verison as vulnerable. Could somebody fix this please?

Comment 12

2 years ago
A couple of Adobe Reader iterations later and this issue seems to have fixed itself. I've installed Acrobat Reader DC (?), v2015.008.20082 and Plugincheck agrees that I have the most current version:

Adobe Reader
Adobe PDF Plug-In For Firefox and Netscape
Up to Date
15.8.20082.15957
(Assignee)

Comment 13

2 years ago
Great news, please feel free to reopen this bug if the problem happens again.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(schalk.neethling.bugs)
Flags: needinfo?(mschmidt)
Resolution: --- → FIXED

Comment 14

2 years ago
No, the problem has not generally been solved.

You see, there is more than one Adobe Reader version which is "the latest", because there is more than one flavour of Adobe Reader. The problem might not occur for Adobe Reader DC (anymore), but it still does occur for Adobe Reader XI. The latest version of this kind is 11.0.12.18 which is shown as vulnerable in the plugin check, but this is nonsense since this is the most recent and up-to-date version for Adobe Reader XI.

How can I change the status of this bug entry?

Comment 15

2 years ago
Actually, it does still happen with the latest version of Adobe Reader DC - if you're on the Classic track instead of the Continuous one.  The latest version of the plugin for the Classic track is 15.6.30060.15959.  I double checked Adobe's FTP site to make sure I had the latest version, and the file date for the updater is 7/9/15, which matches the release date for the latest Continuous version, which Christian has installed.  According to Help | About, the version number is 2015.006.30060, and the version file version (which I accidentally found by clicking on the normal version number in Help | About) is 15.006.30060.15959, pretty much matching the plugin version.  Plugin Check saya I'm outdated.  Can Plugin Check handle a case like this, where there are different valid up-to-date versions?
(Assignee)

Updated

2 years ago
Assignee: nobody → schalk.neethling.bugs
(Assignee)

Updated

2 years ago
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: FIXED → ---
(Reporter)

Comment 16

2 years ago
Schalk,

Thanks for reopening.

(In reply to Sebastian Nowak from comment #14)
> No, the problem has not generally been solved.
> 
> You see, there is more than one Adobe Reader version which is "the latest",
> because there is more than one flavour of Adobe Reader. The problem might not
> occur for Adobe Reader DC (anymore), but it still does occur for Adobe Reader XI.
> The latest version of this kind is 11.0.12.18 which is shown as vulnerable in
> the plugin check, but this is nonsense since this is the most recent and
> up-to-date version for Adobe Reader XI.

I agree.  I also think that there will be many users who will remain on
Adobe Reader XI versions (e.g. 11.0.12.18).  So I am going to propose
(see 4 - below) that more 'families of Reader' are tracked and tested.


4 points

1. Summary of the scope of this bug.

I know bug 1020133 "Improve Adobe Acrobat plugin reporting" is closed.

That bug had a 'wider title' than this bug but
"Plugincheck - Improve Adobe Reader plugin reporting"
is now the best summary of the bug.

I have edited the Summary:
Old: "Plugincheck - Adobe Reader 11.0.10.32 shown as vulnerable, in Error"
New: "Plugincheck - Improve Adobe Reader plugin reporting"

2. Immediate cause of this bug
(In reply to Schalk Neethling [:espressive] from comment #1)
> Did anything on the DB side change Matt?

I now think that the immediate cause of this bug, on 2015-04-14, was
an 'undocumented change' [i.e. no public Bugzilla Bug] to the Plugincheck Database.

In bug 1154410 comment # 5 Mark Schmidt (:marksc) on 2015-05-01 at 11:04:22 PDT wrote: 

> Note: That page is updated much more frequently than bugzilla would suggest.
> The current change process for that page is very informal. This will likely change
> for the better in the near future.

I think "that page", in the quote, is the Plugincheck Database.

I think a more formal record, of changes to the Plugincheck Database,
would be a good idea.

3. See also

Bug 1181285 "Plugincheck back-end does not allow defining version ranges for
vulnerable plugins"


4. I propose that you 'track and test for':

4A. Reader XI

4B. Acrobat Reader DC Classic

4C. Acrobat Reader DC Continuous

As documented in a recent "Adobe Security Bulletin" which lists
'Reader families' see:
https://helpx.adobe.com/security/products/reader/apsb15-15.html

DJ-Leith
Summary: Plugincheck - Adobe Reader 11.0.10.32 shown as vulnerable, in Error → Plugincheck - Improve Adobe Reader plugin reporting
(Assignee)

Comment 17

2 years ago
So, looking at https://get.adobe.com/reader/otherversions/

I found the following version information for the current, latest releases for each platform.

## Windows

2015.008.20082
11.0.10
10.1.4

## Mac

2015.008.20082
11.0.10
10.1.4

Fro this https://helpx.adobe.com/security/products/reader-linux.html, it seems Adobe Reader is no longer available for Linux? Is this correct?

Comment 18

2 years ago
(In reply to Schalk Neethling [:espressive] from comment #17)
> So, looking at https://get.adobe.com/reader/otherversions/
> 
> I found the following version information for the current, latest releases
> for each platform.
> 
> ## Windows
> 
> 2015.008.20082
> 11.0.10
> 10.1.4

That's not listing the Classic version for Reader DC, which is currently version 2015.006.30060.  I took a quick look at Adobe's FTP site, and the Mac version for Classic DC should be the same.  Classic's intended more for business, so that's probably why it doesn't show up on the other versions page.
(Assignee)

Comment 19

2 years ago
Thank you for the additional information. Does anyone know whether Adobe has a list of versions somewhere that are vulnerable, and latest? That would be super helpful.
(Reporter)

Comment 20

2 years ago
(In reply to Schalk Neethling [:espressive] from comment #19)
> Thank you for the additional information. Does anyone know whether Adobe has a
> list of versions somewhere that are vulnerable, and latest? That would be super
> helpful.

In short, no I don't.
Perhaps you could ask Adobe for their definitive answer?

I had, in comment # 16, cited:
https://helpx.adobe.com/security/products/reader/apsb15-15.html
> Release date: July 14, 2015
This lists the most recently declared vulnerable versions (before listing the new versions)

> Affected Versions
> Product             Track        Affected Versions   Platform
> Acrobat DC          Continuous   2015.007.20033      Windows and Macintosh
> Acrobat Reader DC   Continuous   2015.007.20033      Windows and Macintosh
> 
> Acrobat DC          Classic      2015.006.30033      Windows and Macintosh
> Acrobat Reader DC   Classic      2015.006.30033      Windows and Macintosh
> 
> Acrobat XI          N/A          11.0.11 and earlier versions   Windows and Macintosh
> Acrobat X           N/A          10.1.14 and earlier versions   Windows and Macintosh
> 
> Reader XI           N/A          11.0.11 and earlier versions   Windows and Macintosh
> Reader X            N/A          10.1.14 and earlier versions   Windows and Macintosh

The latest versions, on 2015-07-14, are:
> Product             Track        Updated Versions    Platform 
> Acrobat DC          Continuous   2015.008.20082      Windows and Macintosh 
> Acrobat Reader DC   Continuous   2015.008.20082      Windows and Macintosh 
> 
> Acrobat DC          Classic      2015.006.30060      Windows and Macintosh 
> Acrobat Reader DC   Classic      2015.006.30060      Windows and Macintosh 
> 
> Acrobat XI          N/A          11.0.12             Windows and Macintosh 
> Acrobat X           N/A          10.1.15             Windows and Macintosh 
> 
> Reader XI           N/A          11.0.12             Windows and Macintosh 
> Reader X            N/A          10.1.15             Windows and Macintosh 


*** Linux ***

(In reply to Schalk Neethling [:espressive] from comment #17)
> Fro this https://helpx.adobe.com/security/products/reader-linux.html, it seems
> Adobe Reader is no longer available for Linux? Is this correct?

Well, 

> Version 9.x
> Brief                                                  Originally posted  Last updated
> APSB13-15 Security updates ... for Adobe Reader <snip> 5/14/2013          8/8/2013
does seem to be quite old now (more than 2 years).
I speculate that only Reader X [ten] and XI [eleven] are 'still supported' but I don't KNOW.

All of Adobe's "Security Bulletins and Advisories" for Reader are here:
https://helpx.adobe.com/security.html#reader

I had a look at all of them, starting with the most recent, to see when Linux
was last mentioned.

See
http://www.adobe.com/support/security/bulletins/apsb13-15.html
> Release date: May 14, 2013

Inferring from the declared vulnerable versions I think that the following is
the best information for Linux.

This also 'cross checks' - similar dates - with the 
https://helpx.adobe.com/security/products/reader-linux.html
that Schalk cited (quoted above).

> Affected software versions
> Adobe Reader 9.5.4 and earlier 9.x versions for Windows, Macintosh and Linux

Below this we have (the new 2013-05-14 versions listed):
> Product        Updated Version   Platform 
> Adobe Reader   XI (11.0.03)      Windows and Macintosh 
>                X (10.1.7)        Windows and Macintosh 
>                9.5.5             Windows 
>                9.5.5             Macintosh 
>                9.5.5             Linux 

Then below we have:
> Users of Adobe Reader 9.5.4 and earlier versions for Linux should update
> to Adobe Reader 9.5.5. 

So, for the Plugincheck Database, I would propose "9.5.5" as the "outdated" for Linux
and "9.5.4" as "vulnerable".
I say "outdated" (not "latest") because I think it is no longer supported.

Now, a question I can't answer is:
'How do we deal with versions that are not being maintained?'
I don't KNOW if Adobe are 'maintaining version 9.x for Linux', but I think they are not.

I did another search and I found this:
https://helpx.adobe.com/acrobat/kb/end-support-acrobat-8-reader.html

Which has:

> Acrobat Help / 
> End of support | Reader 9 and Acrobat 9 (and earlier)

> As stated in the Adobe Support Lifecycle Policy, Adobe provides five years
> of product support, starting from the general availability date of Adobe Reader
> and Adobe Acrobat. In line with this policy, support for Adobe Reader 9.x and
> Adobe Acrobat 9.x ended on June 26 2013.
> 
> Note: Adobe supports only the most recent major version of Adobe Reader for
> Linux, which is version 9.x.

"Adobe Support Lifecycle Policy" (just quoted) links to:
http://www.adobe.com/support/programs/policies/policy_enterprise_lifecycle.html

From there there is a link to
http://www.adobe.com/support/products/enterprise/eol/eol_matrix.html

Here you can 'pick a product' e.g. Adobe Reader.

> Product name Version Build  General availability  End of core support   End of extended support
> Adobe Reader 9.x            6/23/2008             6/26/2013             N/A

Sorry I can't be more helpful.  I speculate that Adobe are more interested in
getting folk to use Reader DC than they are in documenting 'old versions'.

I do think, however, that Reader XI is still supported and that the
'Plugincheck Service' should report "11.0.12.x" as "latest" (not "outdated").


DJ-Leith
(Assignee)

Comment 21

2 years ago
Thank you for the ton of information DJ. I have made a bunch of updates to the database and I believe we are in a much better situation now in terms of the status of versions across win, mac and linux.

I am going to close this one again but, as before, if anyone run into problems, please let me know.
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED

Comment 22

2 years ago
Since about a week Adobe reader DC 15.8.20082 appears as outdated although there is no newer versions posted anywhere newer than July 14. I also never heard of any attack in the wild. I checked all the relevant sources:
Official download: https://get.adobe.com/reader/
All Adobe Reader downloads: https://www.adobe.com/support/downloads/product.jsp?platform=windows&product=10
Adobe FTP: 
ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/
ftp://ftp.adobe.com/pub/adobe/reader/win/Acrobat2015/
Adobe security bulletins: https://helpx.adobe.com/security.html#acrobat
Albert is seeing the same thing we are seeing in the forums. This might need to be revisited since there is a larger impact at the moment. Bug 1197015
Flags: needinfo?(schalk.neethling.bugs)
See Also: → bug 1197015
(Assignee)

Updated

2 years ago
Flags: needinfo?(schalk.neethling.bugs)

Comment 24

2 years ago
Hm, I guess this issue is back now:

> Adobe Reader
> Adobe PDF Plug-In For Firefox and Netscape
> vulnerable
> 15.10.20056.36345

So, I closed Firefox (today's Nightly), uninstalled "Adobe Reader DC" (that's how it's called now), opened Firefox and the Adobe Reader plugin is gone, as expected. Closed Firefox, installed the latest version of "Adobe Reader DC" again, started Firefox and the "Adobe Reader" plugin is there, again marked vulnerable, with the same version string, which is indeed the version of the executable:

$ wmic datafile where name='C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe' get version
Version
15.10.20056.36345

Comment 25

2 years ago
OK, so the Adobe website https://helpx.adobe.com/security/products/acrobat/apsb16-09.html states that 15.010.20060 is the latest version.

And while the *executable* returns a version string of 15.10.20056.36345, under ControlPanel=>Programs and Features, the version "15.010.20060" is returned:

$ wmic softwarefeature get productname,version | find "Reader"
Adobe Acrobat Reader DC         15.010.20060

The about:plugins site refers to "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll", which also has the older "15.10.20056.36345" version.

There's an "AcroRd32.dll" there, returning "15.10.20060.43353", maybe this file can be used to gather the correct version information? I wonder, is there an Adobe contact to ask how to do this the right way? I.e. is there an official API to be used to query the correct version in a consistent way?
You need to log in before you can comment on or make changes to this bug.