Closed Bug 1181458 Opened 10 years ago Closed 10 years ago

Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE-2015-5119)

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
2015-06

People

(Reporter: dveditz, Assigned: jorgev)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

Flash Update Settings in Windows
13.35 KB, image/png
Details
Adobe has released an advisory for a critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux: https://helpx.adobe.com/security/products/flash-player/apsa15-03.html This 0-day was found in the HackingTeam hacked files and was quickly added to Metasploit and has been reported in 3 different exploit packs being used as a vector for crypto-ransomware and ad-ware. Adobe is expecting to release a fix later today (Wednesday). We should blocklist the vulnerable version (click to play, vulnerable) to stop the spread of this nasty stuff and encourage quick adoption of the new version when it's released.
lmandel: what's the next step in pushing this block along or getting it approved (by whom?)?
Flags: needinfo?(lmandel)
Details on the blocklisting process are at https://wiki.mozilla.org/Blocklisting#How_to_request_a_block ni Jorge for visibility as we'll likely want to do this quickly. Next step is to fill out the following template: Plugin name: Plugin versions to block: Applications, versions, and platforms affected: Block severity: (hard/soft) How does this plugin appear in about:plugins? File: Version: Description: Homepage and other references and contact info: Reasons:
Flags: needinfo?(lmandel) → needinfo?(jorge)
Assuming we do NOT want to simply extend the blocks enabled in bug 1177214 (we could, but we'd have to point the explanation pages at this new bug) then we want to blocklist Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) Flash Player Plugin on Linux 11.2.202.468 to 11.2.202.480 (click-to-play) The Good versions are: Mac and Windows: 18.0.0.203 Mac and Windows (ESR): 13.0.0.302 Linux: 11.2.202.481 The other information matches that used in previous blocklisting of Flash as in bug 1177214
Summary: Blocklist flash for 0-days from HackingTeam dump, being used in the wild → Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE_2015-5119)
Assigning myself as QA, will go through the blocklisting once they're up on the staging server.
QA Contact: kjozwiak
Summary: Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE_2015-5119) → Blocklist flash 18.0.0.194 for 0-days from HackingTeam dump, being used in the wild (CVE-2015-5119)
The blocks have been staged. Kamil, please give them a look. Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p740 Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p742 Flash Player Plugin on Linux 11.2.202.468 to 11.2.202.480 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p744
Assignee: nobody → jorge
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
Keywords: qawanted
Win 8.1 x64 (VM): ================= Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-10-03-02-06-mozilla-central/ Vulnerable: * loaded several flash video's in non-e10s/e10s and ensured they where being blocked correctly File: NPSWF32_18_0_0_194.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_194.dll Version: 18.0.0.194 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 File: NPSWF32_13_0_0_296.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll Version: 13.0.0.296 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r Working: File: NPSWF32_18_0_0_203.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll Version: 18.0.0.203 State: Enabled Shockwave Flash 18.0 r0 Ubuntu 14.04.2 x64 (VM): ======================== Build Used: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-10-00-40-07-mozilla-aurora/ Vulnerable: * loaded several flash video's in non-e10s/e10s and ensured they where being blocked correctly File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.468 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.466 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 Working: File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.481 State: Enabled Shockwave Flash 11.2 r202 OSX 10.10.4 x64: ================ Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/ Vulnerable: * loaded several flash video's in non-e10s/e10s and ensured they where being blocked correctly File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.194 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 13.0.0.292 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 Working: File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.203 State: Enabled Shockwave Flash 18.0 r0 Summary: - blocklisting working correctly
Flags: needinfo?(kjozwiak)
The blocks are now live: Flash Player Plugin on Linux 11.2.202.468 to 11.2.202.480 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p936 Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p938 Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) https://addons.mozilla.org/en-US/firefox/blocked/p940
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [qa-]
Target Milestone: --- → 2015-06
It's the gift that keeps on giving. There's a new 0-day (CVE-2015-5122) thanks to HT that Adobe plans on fixing in the coming days.[1] The rating is critical just like the one in the reference of this bug. Looks like blocks would need to be updated to include up through: 18.0.0.204 (Flash Player Windows(.203)/Mac(.203)/Linux) 13.0.0.302 (Flash Player ESR) 11.2.202.481 (Flash Player Plugin on Linux) [1] https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
Thanks for the heads up macha! I created Bug # 1182751 as it's going to be a new block and this one is already resolved :)
Keywords: qawanted
* mancha! (apologies for the spam)
How am I supposed to update this plugin?
> How am I supposed to update this plugin? You can get the latest Flash version from the following website: - https://get.adobe.com/flashplayer/ You can also set Flash to automatically update via the "Updates" tab in the Flash Manager which is located under the "Control Panel". (see attached screenshot)
If you need to apply the update across multiple machines or if you simply want a standalone installer, [1] may be more convenient. [1] https://www.adobe.com/products/flashplayer/distribution3.html
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: