Closed
Bug 1181458
Opened 9 years ago
Closed 9 years ago
Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE-2015-5119)
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
2015-06
People
(Reporter: dveditz, Assigned: jorgev)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
13.35 KB,
image/png
|
Details |
Adobe has released an advisory for a critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux: https://helpx.adobe.com/security/products/flash-player/apsa15-03.html This 0-day was found in the HackingTeam hacked files and was quickly added to Metasploit and has been reported in 3 different exploit packs being used as a vector for crypto-ransomware and ad-ware. Adobe is expecting to release a fix later today (Wednesday). We should blocklist the vulnerable version (click to play, vulnerable) to stop the spread of this nasty stuff and encourage quick adoption of the new version when it's released.
Reporter | ||
Comment 2•9 years ago
|
||
Updates are now available: https://helpx.adobe.com/security/products/flash-player/apsb15-16.html
Reporter | ||
Comment 3•9 years ago
|
||
lmandel: what's the next step in pushing this block along or getting it approved (by whom?)?
Flags: needinfo?(lmandel)
Comment 4•9 years ago
|
||
Details on the blocklisting process are at https://wiki.mozilla.org/Blocklisting#How_to_request_a_block ni Jorge for visibility as we'll likely want to do this quickly. Next step is to fill out the following template: Plugin name: Plugin versions to block: Applications, versions, and platforms affected: Block severity: (hard/soft) How does this plugin appear in about:plugins? File: Version: Description: Homepage and other references and contact info: Reasons:
Flags: needinfo?(lmandel) → needinfo?(jorge)
Reporter | ||
Comment 5•9 years ago
|
||
Assuming we do NOT want to simply extend the blocks enabled in bug 1177214 (we could, but we'd have to point the explanation pages at this new bug) then we want to blocklist Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) Flash Player Plugin on Linux 11.2.202.468 to 11.2.202.480 (click-to-play) The Good versions are: Mac and Windows: 18.0.0.203 Mac and Windows (ESR): 13.0.0.302 Linux: 11.2.202.481 The other information matches that used in previous blocklisting of Flash as in bug 1177214
Summary: Blocklist flash for 0-days from HackingTeam dump, being used in the wild → Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE_2015-5119)
Comment 7•9 years ago
|
||
Assigning myself as QA, will go through the blocklisting once they're up on the staging server.
QA Contact: kjozwiak
Updated•9 years ago
|
Summary: Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE_2015-5119) → Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE-2015-5119)
Assignee | ||
Comment 8•9 years ago
|
||
The blocks have been staged. Kamil, please give them a look. Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p740 Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p742 Flash Player Plugin on Linux 11.2.202.468 to 11.2.202.480 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p744
Comment 9•9 years ago
|
||
Win 8.1 x64 (VM): ================= Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-10-03-02-06-mozilla-central/ Vulnerable: * loaded several flash video's in non-e10s/e10s and ensured they where being blocked correctly File: NPSWF32_18_0_0_194.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_194.dll Version: 18.0.0.194 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 File: NPSWF32_13_0_0_296.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll Version: 13.0.0.296 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r Working: File: NPSWF32_18_0_0_203.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll Version: 18.0.0.203 State: Enabled Shockwave Flash 18.0 r0 Ubuntu 14.04.2 x64 (VM): ======================== Build Used: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-10-00-40-07-mozilla-aurora/ Vulnerable: * loaded several flash video's in non-e10s/e10s and ensured they where being blocked correctly File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.468 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.466 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 Working: File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.481 State: Enabled Shockwave Flash 11.2 r202 OSX 10.10.4 x64: ================ Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/ Vulnerable: * loaded several flash video's in non-e10s/e10s and ensured they where being blocked correctly File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.194 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 13.0.0.292 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 Working: File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.203 State: Enabled Shockwave Flash 18.0 r0 Summary: - blocklisting working correctly
Flags: needinfo?(kjozwiak)
Assignee | ||
Comment 10•9 years ago
|
||
The blocks are now live: Flash Player Plugin on Linux 11.2.202.468 to 11.2.202.480 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p936 Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p938 Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p940
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Target Milestone: --- → 2015-06
Comment 11•9 years ago
|
||
It's the gift that keeps on giving. There's a new 0-day (CVE-2015-5122) thanks to HT that Adobe plans on fixing in the coming days.[1] The rating is critical just like the one in the reference of this bug. Looks like blocks would need to be updated to include up through: 18.0.0.204 (Flash Player Windows(.203)/Mac(.203)/Linux) 13.0.0.302 (Flash Player ESR) 11.2.202.481 (Flash Player Plugin on Linux) [1] https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
Comment 12•9 years ago
|
||
Thanks for the heads up macha! I created Bug # 1182751 as it's going to be a new block and this one is already resolved :)
Keywords: qawanted
Comment 13•9 years ago
|
||
* mancha! (apologies for the spam)
Comment 14•9 years ago
|
||
How am I supposed to update this plugin?
Comment 15•9 years ago
|
||
> How am I supposed to update this plugin? You can get the latest Flash version from the following website: - https://get.adobe.com/flashplayer/ You can also set Flash to automatically update via the "Updates" tab in the Flash Manager which is located under the "Control Panel". (see attached screenshot)
Comment 16•9 years ago
|
||
If you need to apply the update across multiple machines or if you simply want a standalone installer, [1] may be more convenient. [1] https://www.adobe.com/products/flashplayer/distribution3.html
Comment hidden (off-topic) |
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•