Closed Bug 1182751 Opened 9 years ago Closed 9 years ago

(CVE-2015-5122) Blocklist vulnerable versions of Flash Player plugin (18.0.0.203 and lower)

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
2015-07

People

(Reporter: kjozwiak, Assigned: jorgev)

References

()

Details

Attachments

(2 files)

Thanks to mancha for the heads up in bug # 1181458 comment # 11

> It's the gift that keeps on giving. There's a new 0-day (CVE-2015-5122)
> thanks to HT that Adobe plans on fixing in the coming days.[1] The rating is
> critical just like the one in the reference of this bug.
> 
> Looks like blocks would need to be updated to include up through:
> 
> 18.0.0.204   (Flash Player Windows(.203)/Mac(.203)/Linux)
> 13.0.0.302   (Flash Player ESR)
> 11.2.202.481 (Flash Player Plugin on Linux)
> 
> [1] https://helpx.adobe.com/security/products/flash-player/apsa15-04.html
QA Contact: kjozwiak
Are you insane?
Why did you block the latest flash Version when no newer version is available. Its in a loop right now and FF keep asking every one to update flash player and once it get updated, it asked again since no newer version is available at this moment

This ridicules decision by people who has no idea how internet works has resulted Firefox losing its user base to chrome. The point is not to insult users by repeating update request.

The whole point of these security warning is absurd since users are not working in CIA or NSA and they dont required over care on securities, these bugs hardly affect 0.0001% of FF users, but every one is forced to update and take the pain.
Jack, nothing has been blocked yet.. This ticket is just a place holder until Adobe releases the new version with the fix. Once that happens, the work will go into this bug. The block will first go live on a staging server which will than be tested. If everything works, it's pushed to live.
See Also: → 1182832
(In reply to Jack from comment #1)
> Are you insane?
> Why did you block the latest flash Version when no newer version is available. 
Better to live with no Flash if needed for some time, than be vulnerable to exploits on bugged Flash.
Most websites are already supporting HTML5 video, so no need to panic and your arguments are mostly exaggerated without any proofs.

(In reply to Jack from comment #1)
> Its in a loop right now and FF keep asking every one to update
> flash player and once it get updated,
> it asked again since no newer version
> is available at this moment
Please don't lie, this bug isn't fixed and live.
The latest blocklist update was done in bug #1181458 and new version of Flash already existed.

(In reply to Jack from comment #1)
> The point is not to insult
> users by repeating update request.
At least Firefox cares about users and say to them that they have outdated software which is vulnerable to exploits, if they disable Flash autoupdate, because it they won't, they shouldn't be seeing any update request as Flash will update itself.

(In reply to Jack from comment #1)
> The whole point of these security warning is absurd since users are not
> working in CIA or NSA and they dont required over care on securities, these
> bugs hardly affect 0.0001% of FF users, but every one is forced to update
> and take the pain.
Any proofs to validate your statements that users not care on security and this Flash exploit affects hardly 0,0001% users?
Update: Adobe has revised its advisory.

To clarify, there are two separate HT 0-days that will be fixed in the next Adobe release. The CVE identifiers are: CVE-2015-5122 [1] & CVE-2015-5123 [2]. Note: this is in addition to the one discussed in bug#1181458 and patched in the 20150708 Adobe release.

---
[1] http://blog.trendmicro.com/trendlabs-security-intelligence/another-zero-day-vulnerability-arises-from-hacking-team-data-leak/

[2] http://blog.trendmicro.com/trendlabs-security-intelligence/new-zero-day-vulnerability-cve-2015-5123-in-adobe-flash-emerges-from-hacking-team-leak/
(In reply to Jack from comment #1)
> The whole point of these security warning is absurd since users are not
> working in CIA or NSA and they dont required over care on securities, these
> bugs hardly affect 0.0001% of FF users, but every one is forced to update
> and take the pain.

The Flash block in bug 1181458 was because the HackingTeam exploit had already appeared in 3 exploit packs serving crypto-ransomware that was impacting real users. These were NOT theoretical "only if you're a terrorist/drug-dealer" worries.
(In reply to Daniel Veditz [:dveditz] from comment #5)
> The Flash block in bug 1181458 was because the HackingTeam exploit had
> already appeared in 3 exploit packs serving crypto-ransomware that was
> impacting real users. These were NOT theoretical "only if you're a
> terrorist/drug-dealer" worries.

cve-2015-5122 has also been found in exploit kits since at least this past Friday.[1]

Even sans non-vulnerable update, we should consider the risks of blocking the vulnerable Flash versions (ie. all of them) vs allowing millions of people to use actively exploited versions of Flash without so much as a warning.

[1] http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html
Blocks have been staged.

Flash Player Plugin on Linux 11.2.202.481 (click-to-play) 
https://addons-dev.allizom.org/en-US/firefox/blocked/p746

Flash Player Plugin 18.0.0.203 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p748

Flash Player Plugin 13.0.0.302 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p750

Kamil, please give them a look. Unlike previous blocks, these have the "update unavailable" flag since that's the current situation.
Flags: needinfo?(kjozwiak)
Keywords: qawanted
Win 8.1 x64 (VM):
=================

Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/

File: NPSWF32_18_0_0_203.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
Version: 18.0.0.203
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 18.0 r0

File: NPSWF32_13_0_0_302.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_302.dll
Version: 13.0.0.302
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 13.0 r0

OSX 10.10.4 x64:
================

Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-13-00-40-06-mozilla-aurora/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.203
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 18.0 r0

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 13.0.0.302
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 13.0 r0

Ubuntu 14.04.2 x64 (VM):
========================

Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-13-03-02-04-mozilla-central/

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.481
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 11.2 r202

It looks like 13.0.0.302 (ESR) isn't available on Linux as per http://www.adobe.com/ca/products/flashplayer/distribution3.html

Summary:
========

- ensured that the plugins appear as (STATE_VULNERABLE_NO_UPDATE) under about:plugins
- ensured that each version of flash is correctly mapped to the correct "Blocked Page" (p746, p748, p750)
- loaded several flash video's in non-e10s/e10s and ensured that they where being blocked correctly (IGN/GameTrailers)
- ensured "Allow Now" and "Allow and Remember" are working correctly
- ensured that you can still "Block" when you've selected "Allow and Remember"
- ensured that "you're using an insecure version of Flash" still appears when you've "allowed" flash

Looks like everything is working correctly. Let me know if I missed anything Jorge!
Flags: needinfo?(kjozwiak)
What does the notice look like when the "update not available" flag is on? 

Our support documentation on SUMO does not cover this possibility yet. It would be helpful if someone could provide a screenshot. Thanks!
The blocks are now live.

Flash Player Plugin 13.0.0.302 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p944

Flash Player Plugin 18.0.0.203 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p946

Flash Player Plugin on Linux 11.2.202.481 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p948
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 9 years ago
Keywords: qawanted
Resolution: --- → FIXED
Target Milestone: --- → 2015-07
(In reply to Mark Schmidt (:marksc) from comment #9)
> What does the notice look like when the "update not available" flag is on? 
> 
> Our support documentation on SUMO does not cover this possibility yet. It
> would be helpful if someone could provide a screenshot. Thanks!

See this support article on blocklisted plugins:
https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins

It says the following under "How click to activate works":

 When Firefox blocks a plugin you'll see a message similar to this:

 <screenshot https://support.cdn.mozilla.net/media/uploads/gallery/images/2014-12-27-10-06-05-c56381.png>

 You can then choose to run the plugin or update it (if an update is available).
(In reply to Alice Wyman from comment #11)
> (In reply to Mark Schmidt (:marksc) from comment #9)
> > What does the notice look like when the "update not available" flag is on? 
> > 
> > Our support documentation on SUMO does not cover this possibility yet. It
> > would be helpful if someone could provide a screenshot. Thanks!
> 
> See this support article on blocklisted plugins:
> https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins
> 
> It says the following under "How click to activate works":
> 
>  When Firefox blocks a plugin you'll see a message similar to this:
> 
>  <screenshot
> https://support.cdn.mozilla.net/media/uploads/gallery/images/2014-12-27-10-
> 06-05-c56381.png>
> 
>  You can then choose to run the plugin or update it (if an update is
> available).

Yes, that is one of two articles which do not currently cover this use case of a plugin not having an update available.

The screenshots in this article are for a plugin which DOES have an update available. However, I've been told that blocklist items marked "STATE_VULNERABLE_NO_UPDATE" (such as this one) do not direct users to update the plugin. But I have yet to see this for myself. What I want to know is whether the only difference between these cases is with the verbiage "this plugin is vulnerable and should be updated", or if the "check for updates" link is omitted entirely.

But since the blocklist has been updated, I suppose I'll find out first hand soon enough.
The live blocklist does not appear to be applying, at least in some cases.

Win 8.1 x64 using Firefox 38.0 win32
===================
File: NPSWF32_18_0_0_203.dll
Path: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
Version: 18.0.0.203
State: Enabled
Shockwave Flash 18.0 r0

Win 8.1 x64 using Firefox 41.02a win32
===================
File: NPSWF32_18_0_0_203.dll
Path: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
Version: 18.0.0.203
State: Enabled
    Shockwave Flash 18.0 r0

Win 8 x64 using Firefox 38.0 win32
===================
File: NPSWF32_13_0_0_296.dll
Path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll
Version: 13.0.0.296
State: Enabled
Shockwave Flash 13.0 r0
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I read the below, I sort the green glass from thr brown glass from the clear glass at thre recycle yard.  


is it safe to watch spongebob on hulu


thanks

or will my head blow up

 Another Zero-Day Vulnerability Arises from Hacking Team Data Leak
12:43 am (UTC-7)   |    by Peter Pi (Threats Analyst)
	
	
	

Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 18.0.0.203).

This is a new vulnerability apart from the ones we discussed in Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak, which were two Flash bugs and one in the Windows kernel. One of these Flash vulnerabilities has since been used in various exploit kits.

The good news: it’s still a Proof-of-Concept, and we are still looking to see if it is already being used in an attack. The bad news: there’s no patch for it out yet, but there should be one coming up as we had notified Adobe as soon as we verified the vulnerability itself (July 11, 10:30 AM, GMT +8). Adobe sent out the security advisory for this vulnerability at 11:40 AM (GMT+8).

So how does the vulnerability work?

With our analysis, we discovered that it is a Use-After-Free vulnerability involving the methods TextBlock.createTextLine() and TextBlock.recreateTextLine(textLine).

The trigger involves the method my_textLine.opaqueBackground = MyClass_object. What happens is that the MyClass.prototype.valueOf is overriden, as such the valueOf function it will call TextBlock.recreateTextLine(my_textLine). The my_textLine function is then used after it is freed.

We debugged the POC on an X86 environment, so the vulnerability trigger is in MyClass32 class. The exploit function itself is TryExpl of MyClass32.

The exploit steps are as follows:

    A new Array is named _ar, the length of _ar is _arLen = 126. _ar[0…29] is set by Vector.<uint>, vector length is 0x62.  _ar[46….125] is set by Vector.<uint>, vector length is 0x8.  _ar[30….45] is set by testLine using _tb.createTextLine(), and the textLine. opaqueBackground is set to 1.

    The MyClass.prototype.valueOf is overriden using MyClass.prototype.valueOf = valueOf2, and using _ar[_cnt].opaqueBackground = _mc to trigger the valueOf2 function. _mc is an instance of MyClass.

    In valueOf2 function, it will call _tb. recreateTextLine(_ar[index]) to free the textLine function allocated in step 1. Then, the vector’s length is set from 0x8 to 0x62 to occupy the memory of the freed textLine. The valueOf2 function will return with 0x62 + 8 = 0x6a, so _ar[_cnt].opaqueBackground will be set to 0x6a until valueOf2 return. To ensure the overwriting of the occupy vector length field, the valueOf2 function uses recursive invocation.

    After overwriting the vector length to 0x6a, it searches the corrupt vector, and sets the neighbor vector length to 0x40000000.

The POC can open calc.exe, which means it can also be crafted to run malicious executables.
We are currently monitoring this development and will update this blog entry as the story progresses. For now we recommend users to disable Flash in order to avoid possible attacks exploiting this vulnerability.

Posts related to vulnerabilities found in the Hacking Team Leak

    New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak
    Hacking Team Flash Zero-Day Integrated into Exploit Kits
    A Look at the Open Type Font Manager Vulnerability from the Hacking Team Leak
    Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak
    Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1

Updated July 11, 2015, 12:43 AM (UTC-7) to clarify some technical details.

Updated July 12, 2015, 7:46 PM (UTC-7)

Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    1006858 – Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability (CVE-2015-5122)
Flags: needinfo?(nedbal)
> The live blocklist does not appear to be applying, at least in some cases.
> 
> Win 8.1 x64 using Firefox 38.0 win32
> ===================
> File: NPSWF32_18_0_0_203.dll
> Path: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
> Version: 18.0.0.203
> State: Enabled
> Shockwave Flash 18.0 r0
> 
> Win 8.1 x64 using Firefox 41.02a win32
> ===================
> File: NPSWF32_18_0_0_203.dll
> Path: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
> Version: 18.0.0.203
> State: Enabled
>     Shockwave Flash 18.0 r0
> 
> Win 8 x64 using Firefox 38.0 win32
> ===================
> File: NPSWF32_13_0_0_296.dll
> Path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll
> Version: 13.0.0.296
> State: Enabled
> Shockwave Flash 13.0 r0

Mark, does the block work if you manually ping the blocklist?? Paste the following in the browser console: (you can enable it via devtools.chrome.enabled;true)

- Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

When I manually pinged the blocklist, it correctly blocked the three examples you mentioned. Jorge, could this be because of "extensions.blocklist.interval;86400" which pings the blocklist once a day?

When I go through testing, I manually ping both the staging/live servers to pull down the new blocklist so I don't have to wait for fx to do the ping which makes things a lot faster. Usually follow: https://wiki.mozilla.org/Blocklisting/Testing

--------
Results:
--------

Win 8.1 x64 using FX 38.0 win32:
================================

File: NPSWF32_18_0_0_203.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
Version: 18.0.0.203
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 18.0 r0

Win 8.1 x64 using FX 41.02a (aurora) win32:
===========================================

File: NPSWF32_18_0_0_203.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
Version: 18.0.0.203
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 18.0 r0

Win 8 x64 using FX 38.0 win32:
==============================

File: NPSWF32_13_0_0_296.dll
Path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll
Version: 13.0.0.296
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0
Flags: needinfo?(jorge)
I believe the 1 day timeout was the problem. Mystery solved. Thank you, Kamil. :)
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Flags: needinfo?(jorge)
Resolution: --- → FIXED
Does anyone know about Shumway?
It works flawlessly, handles all SWF files as it should and is a perfect replacement for Flash.
How safe is it? Is it being observed by anyone? I totally disabled Flash on my FF and am using Shumway now. But I'm not sure if I made a safe choice, really...
Any ideas? I'm kinda sick of these weekly bugs we get on Flash and this is getting more and more annoying...
This bug isn't the best place for off-topic discussions about Shumway (please see https://www.mozilla.org/en-US/about/forums/#dev-shumway or https://support.mozilla.org/ ) but I'm glad it's working for you. Shumway was designed to be safe and we are working toward shipping it. It handles many Flash scripts well, but not yet enough to ship as a complete replacement for all Firefox users. If it handles the Flash you encounter well then use it in good health.
my Flash Player Plugin to bug July 13
  problematic will be automatically deactivated and more usable.

Flash Player Plugin 18.0.0.203 (click-to-play) has been blocked for your protection.
https://blocklist.addons.mozilla.org/fr/firefox/blocked/p946
Flags: needinfo?(kjozwiak)
(In reply to Victor Mangraviti from comment #17)
> Does anyone know about Shumway?
> It works flawlessly, handles all SWF files as it should and is a perfect
> replacement for Flash.
> How safe is it? Is it being observed by anyone? I totally disabled Flash on
> my FF and am using Shumway now. But I'm not sure if I made a safe choice,
> really...
> Any ideas? I'm kinda sick of these weekly bugs we get on Flash and this is
> getting more and more annoying...

Shumway does not handle ALL swf files.

I've been developing Flash games for the past 8 years. Shumway does not handle many of the features of Flash Player that I've used in games - notably sound and many graphics operations.

A lot of AS3 programmers make use of certain commands in Flash that circumvent running the operation in bytecode and execute them at high speed. This means that a lot of advanced Flash projects will never run in a satisfactory manner in Javascript. There is simply no parallel without rebuilding it. I've programmed in both AS3 and Javascript - they look similar but are very different beasts when you push them to their limits.

That said, our team has moved over to working in Unity - which is a nightmare for making 2D games and far less enjoyable to program in.

I blame Adobe.
(In reply to malerfique from comment #19)
> my Flash Player Plugin to bug July 13
>   problematic will be automatically deactivated and more usable.
> 
> Flash Player Plugin 18.0.0.203 (click-to-play) has been blocked for your
> protection.
> https://blocklist.addons.mozilla.org/fr/firefox/blocked/p946

malerfique, I'm not exactly sure what the issue is? Flash 18.0.0.203 was blocked purposely and changed to click-to-play. You should still be able to play Flash content by either selecting "Allow Now" or "Allow and Remember".
Flags: needinfo?(kjozwiak)
Adobe has released updates that address these vulnerabilities, so I have updated the blocks to indicate the update is now available.
Blocks: 1183671
so its been july 14 2015 @ 11:41 PM here in the philippines when i got this news and frankly, im inept at dealing with this thing. so ive searched the web to see if flash flipped its marbles yet again for some more useless update(insert 9gag joke about how flash keeps updating with no actual additional feature). and i found no new update. when i searched even more into this whole ordeal, now i know that there IS a reason flash is going nuts this days. been experiencing it with my facebook. so it is a hack of flash huh. better turn it off all the way in fear of risking my computer. any suggestion to what program should i use, i frequent youtube for my daily dose of minecraft and all. thanks in advanced team firefox.
Version listed here:https://get.adobe.com/flashplayer/
is 11.2.202.481

Checker here: https://www.mozilla.org/en-US/plugincheck/
says my plugin is up to date at version 11.2.202.481

No updates available for flash for Ubuntu 14.04 LTS in their main server packages.

There is no update for flash accessible but Firefox insists that my version (11.2.202.481) is out of date.

Clicking "allow for now" or "always allow" breaks playback at twitch.tv (which doesn't have a html5 alternative it seems).

Shift + Ctrl + R after "always allow" does not fix twitch.tv playback.

Changing extensions.blocklist.enabled to false does not fix twitch.tv playback.

If no update is available here: https://get.adobe.com/flashplayer/
then imho opinion the block should not have been enabled.
(In reply to Richard from comment #24)
> Version listed here:https://get.adobe.com/flashplayer/
> is 11.2.202.481
> 
> Checker here: https://www.mozilla.org/en-US/plugincheck/
> says my plugin is up to date at version 11.2.202.481

You're right. It looks like there's no update for Linux (so far?). I'm reverting the block for Linux to indicate there's no update available.
(In reply to Richard from comment #24)
> Version listed here:https://get.adobe.com/flashplayer/
> is 11.2.202.481
> 
> Checker here: https://www.mozilla.org/en-US/plugincheck/
> says my plugin is up to date at version 11.2.202.481
> 
> No updates available for flash for Ubuntu 14.04 LTS in their main server
> packages.
> 
> There is no update for flash accessible but Firefox insists that my version
> (11.2.202.481) is out of date.
> 
> Clicking "allow for now" or "always allow" breaks playback at twitch.tv
> (which doesn't have a html5 alternative it seems).
> 
> Shift + Ctrl + R after "always allow" does not fix twitch.tv playback.
> 
> Changing extensions.blocklist.enabled to false does not fix twitch.tv
> playback.
> 
> If no update is available here: https://get.adobe.com/flashplayer/
> then imho opinion the block should not have been enabled.

I have exactly same problem, but i managed to overcome this on Ubuntu by using this instruction - http://www.webupd8.org/2014/05/install-fresh-player-plugin-in-ubuntu.html
So, Mozilla dont want to support PPAPI and that their right, but there is wrappers exists already. Adobe probably will not keep old Flash 11 alive forever.
Also i kinda agree with  Virtual_ManPL that there is not that much of need of Flash today, since most of sites support "flashless" HTML5 mediaplay in this way or another, Twitch is unfortunate exception.
(In reply to Jorge Villalobos [:jorgev] from comment #25)
> (In reply to Richard from comment #24)
> > Version listed here:https://get.adobe.com/flashplayer/
> > is 11.2.202.481
> > 
> > Checker here: https://www.mozilla.org/en-US/plugincheck/
> > says my plugin is up to date at version 11.2.202.481
> 
> You're right. It looks like there's no update for Linux (so far?). I'm
> reverting the block for Linux to indicate there's no update available.

As a Linux user, I appreciate being warned when a vulnerability in the Flash plugin has been discovered. After all, if I want to ignore the warning then that is trivial to do. However, what I do NOT appreciate is how difficult it was to figure out WHY the plugin had become blocked.

The first thing I did when I saw the warning was go to the "plugincheck" page, which told me that my plugin was up to date, which was initially confusing. I checked a few more places to confirm this. I went to about:plugins and saw the STATE_VULNERABLE_NO_UPDATE annotation, which I searched for. Eventually I figured out that this would have been set by the "plugin blocklist", so I searched for "firefox plugin blocklist", and came across this: https://addons.mozilla.org/en-US/firefox/blocked/ page. It took two more clicks from that page to get to this bug.

So, I think it is fine to warn the user about vulnerable plugins even if no update exists. However, I think Mozilla could do a much better job of explaining the situation to users in this case.
I just noticed that my about:addons page includes a link to this: https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p948 page, so I suppose this isn't quite as bad as I had thought.

I'm curious: is the plugin blocklist maintained in a publicly-viewable repository somewhere?
OSX 10.10.4 x64:
================

Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.203
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 13.0.0.302
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0

Win 8.1 x64:
============

Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-07-14-00-40-06-mozilla-aurora/

File: NPSWF32_18_0_0_203.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_203.dll
Version: 18.0.0.203
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

File: NPSWF32_13_0_0_302.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_302.dll
Version: 13.0.0.302
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0

Ubuntu 14.04.2 x64:
===================

> You're right. It looks like there's no update for Linux (so far?). I'm
> reverting the block for Linux to indicate there's no update available.

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.481
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
Shockwave Flash 11.2 r202

For each of the above plugins, I went through the following:

- ensured that clicking on "Check for Update" took the user to the "Mozilla Plugin" page
- ensured when users select "Update Now", the https://get.adobe.com/flashplayer/ page opens
- ensured that clicking on "Update Now.." under the "Flash doorhanger" opens https://get.adobe.com/flashplayer/
- ensured that "Shockwave Flash is known to be vulnerable and should be updated. <button>Update Now</button>" appears under about:addons
- ensured that "Shockwave Flash is known to be vulnerable. Use with caution. <button>More Information</button>" appears under about:addons
- ensured that the entry under about:plugins appears as (STATE_VULNERABLE_UPDATE_AVAILABLE) for Win/OSX
- ensured that the entry under about:plugins appears as (STATE_VULNERABLE_NO_UPDATE) for Linux
Adobe Flash has been updated to Version 18.0.0.209 I just installed it and still can't use it!
(In reply to Ari Entlich from comment #28)
> I'm curious: is the plugin blocklist maintained in a publicly-viewable
> repository somewhere?

No, it's managed through the admin tools on addons.mozilla.org. The full list of blocks is here: https://addons.mozilla.org/blocked/, but that's everything we publish.
(In reply to George Kruchinin from comment #30)
> Adobe Flash has been updated to Version 18.0.0.209 I just installed it and
> still can't use it!

You might need to restart Firefox for the block to stop showing up.
Hi, I did restart and it's still blocked.Thanks
I just had an update come through for my Ubuntu 14.04.2 LTS system but I'm a bit confused. 

Start-Date: 2015-07-14  19:39:19
Commandline: aptdaemon role='role-commit-packages' sender=':1.148'
Upgrade: flashplugin-installer:amd64 (11.2.202.481ubuntu0.14.04.1, 11.2.202.481ubuntu0.14.04.2)

However this is the version AFAICT that Firefox has been complaining about on my system all day long as being blocked from running. Or, am I reading this incorrectly? The "Shockwave Flash is known to be vulnerable" warning is still present and I did restart Firefox.
Chris
Hi,I updated Flashplugin today to Version 18.0.0.209 and restarted Firefox and it's still blocked.
Same here. 11.2.202.481 is installed 


2015-07-15 04:03:08 install flashplugin-installer:amd64 11.2.202.481ubuntu0.15.04.2 11.2.202.481ubuntu0.15.04.2

Both FF and Seamonkey still warn me about the Vulnerability.
Doesn't seem to pass the common sense test to me. Why upgrade to a version that is reported as vulnerable? Think I'll open a bug at Ubuntu Launch Pad and see what happens.
AFAICT, Adobe hasn't released a flash update for Linux yet, as per the advisory:

* https://helpx.adobe.com/security/products/flash-player/apsb15-18.html

>> Adobe will provide an update for Flash Player for Linux during
>> the week of July 12.  The update will be available by visiting
>> the Adobe Flash Player Download Center.
>> Please continue to monitor the PSIRT blog for updates.

Loading https://get.adobe.com/flashplayer/ will still offer users 11.2.202.481 and is also the last version available at https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html (usually new builds are instantly added)
I went through the entire process on my main Win 8.1 x64 home machine (not a VM) and everything worked on my end. Once I downloaded flash 18.0.0.209 and restarted firefox, the block was removed and the correct version/info appeared under about:addons and about:plugins. I visited a bunch of websites that rely heavily on flash and everything worked.

Used the following steps:

- Build Used: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/39.0/win32/en-US/
- Flash Used: https://fpdownload.macromedia.com/pub/flashplayer/installers/archive/fp_18.0.0.203_archive.zip

- installed firefox 39 and flash 18.0.0.203
- checked about:addons and about:plugins and made sure that flash is appearing as STATE_VULNERABLE_UPDATE_AVAILABLE
- visited https://www.mozilla.org/en-US/plugincheck/ and selected "Update Now" which took me to https://get.adobe.com/flashplayer/
- downloaded the latest version adobe offered (flash 18.0.0.209)
- once I finished downloading flash 18.0.0.209 I closed firefox 39
- installed flash 18.0.0.209 via the downloaded flashplayer18_ha_install.exe file
- re-opened firefox 39 and checked about:addons and about:plugins (appears as Version: 18.0.0.209 State: Enabled)

> Chris
> Hi,I updated Flashplugin today to Version 18.0.0.209 and restarted Firefox
> and it's still blocked.

Could you take a look under about:plugins and let me know what it says under Shockwave Flash? Should look something similar to comment # 29
(In reply to Vadim Banev from comment #36)
> 2015-07-15 04:03:08 install flashplugin-installer:amd64
> 11.2.202.481ubuntu0.15.04.2 11.2.202.481ubuntu0.15.04.2
> 
> Both FF and Seamonkey still warn me about the Vulnerability.

some problem here on Mint 17 (Ubuntu 14.1). The update has been installed by the Mint-OS (verified in the logs) ,but the FF-Plug-in page still shows the old version. And I also get the warnings on Flash-websites.
(In reply to Hermann from comment #40)
> some problem here on Mint 17 (Ubuntu 14.1). The update has been installed by
> the Mint-OS (verified in the logs) ,but the FF-Plug-in page still shows the
> old version. And I also get the warnings on Flash-websites.

got it, the provided patch for Flash on Linux doesn't fix the security vulnerability on Linux. There will be another patch coming soon which will fix it.
(In reply to Virtual_ManPL [:Virtual] from comment #3)
> Most websites are already supporting HTML5 video, so no need to panic and
> your arguments are mostly exaggerated without any proofs.

The problem is that in such cases Firefox did not run HTML5 if Flash player on the page is prefered. For example, on vk.com you can't neither listen to music (and when you try to listen to music no message appears, it seemed to be Firefox bug!) , nor watching videos, though VK uses HTML5 if Flash player is turned off.
All I can say is that whoever the gate keeper is . . . The problem is not resolved! You don't know what you are doing?

Flash is blocked and there is no way to unblock it. I've downloaded the update and that changed nothing!

There is no opportunity click on a "travel at my own risk" icon though there was for a short while yesterday.

It's been dead in the water for a second day now.

YouTube works fine on Chromium or go to Windows with Firefox.
Please update the block description (https://addons.mozilla.org/en-US/firefox/blocked/p948) to mention that while the currently blocked version is vulnerable, no new version is available for Linux yet.

Plugin check page says 11.2.202.481 is up to date and gives it a green thumb up -- this is wrong because it sends an inconsistent message to the user!
If the version is marked as vulnerable, it should not show a green thumbs up button. It probably makes sense to elaborate that it is the latest available version but is not quite safe to use. Advised user action is to not use Flash until a new update comes through.
(In reply to Konstantin Svist from comment #44)
> Please update the block description
> (https://addons.mozilla.org/en-US/firefox/blocked/p948) to mention that
> while the currently blocked version is vulnerable, no new version is
> available for Linux yet.
> 
> Plugin check page says 11.2.202.481 is up to date and gives it a green thumb
> up -- this is wrong because it sends an inconsistent message to the user!
> If the version is marked as vulnerable, it should not show a green thumbs up
> button. It probably makes sense to elaborate that it is the latest available
> version but is not quite safe to use. Advised user action is to not use
> Flash until a new update comes through.

Agreed, created bug # 1184257
At the present moment I can't play at all any of the multimedia web site using Flash (including the ones I pay for). The choice "Ask to activate" in the add-ons manager DOES NOT WORK. Clicking on "Activate the plugin" in the webpages has no effect.

In other words, the highest threat I am exposed to for the moment is the intrusion of Firefox on my computer, which decide on its own I am not allowed to access my favorite contents on the web anymore. Thanks guys.

Using Firefox 39.0, Linux Fedora 22, Flash 11.2.202.481.
Flash has new update it is Version 18.0.0.209 I updated yesterday 7/14/15 and it works.
And I add that on some website like deezer.com, there is no place where i can click on "Click to activate". The website just rejects me. There is an absolute need to ungrey the choice "Always activate" in the add-ons manager.
I'm new to this,can anyone tell me how to stop bugzilla from sending every post to my email.I would appreciate any help.Thanks 
George
(In reply to bahamut00 from comment #48)
> Created attachment 8634296 [details]
> No way to activate Flash on deezer.com
> 
> And I add that on some website like deezer.com, there is no place where i
> can click on "Click to activate". The website just rejects me. There is an
> absolute need to ungrey the choice "Always activate" in the add-ons manager.

I confirm bahamut00@free.fr's use case and concur with his statement! Always active should be an option. It's greyed out in both Firefox 39 and Seamonkey 2.33.1.
Why the button "always activate" is disabled ?
Firefox keeps asking me on every tab.

I can't watch a video on facebook, Firefox doesn't ask me to activate Flash.
In my case I was able to fix HTML5 to where it would work and in most cases it runs the videos without any hassle. I had to go into about:config and change several types to true instead of false.

In the videos that will not run on HTML5, 
there is the "-" where the "X" was in the middle of the video screen at one time.
Right under the "-" there is the "Activate" box. This box leads one to believe that you click on activate for flash to work but you click on the "-". You must be to the update point of having the "-"?

Then you have the choice for permission to run once or always.

I hope this makes sense to those of us that are challenged by this fiasco?

I had to get HTML5 to work in my Windows as well as my Ubuntu systems
(In reply to winning from comment #52)
> In my case I was able to fix HTML5 to where it would work and in most cases
> it runs the videos without any hassle. I had to go into about:config and
> change several types to true instead of false.

Is there an about:config tuning where I can bypass the Firefox plugin-outdated rules?

> In the videos that will not run on HTML5, 
> there is the "-" where the "X" was in the middle of the video screen at one
> time.
> Right under the "-" there is the "Activate" box. This box leads one to
> believe that you click on activate for flash to work but you click on the
> "-". You must be to the update point of having the "-"?

You mean the "no way" sign?

> Then you have the choice for permission to run once or always.

Nope. Nothing happens at all.

> I hope this makes sense to those of us that are challenged by this fiasco?

Nope.
Ok, I will try. But it's a pity that the ordinary user have to do this to watch a video when everything was working fine before.

It's nice that Firefox tries to prevent users, but we should be able to use "always activate" if we want.
Found it: if Shumway is installed, "Activate the plugin" has no effect. I had to disable Shumway, and now I am offered the options. However, Firefox does not remember my choice ("Always activate"): I have to repeat it again and again.
Yes, the "NO WAY" sign with the "X" or "-" in it. I don't know if the "X" one will go? But the "-" will bring up the one time or always choices.

As far as HTML5 goes - You need to Google FireFox and HTML5 and you will need to Google YouTube and HTML5.

There's a thing in the YouTube one where you can make it use HTML5 if the video will run on it and you never see this incomplete mess that we've been going through for the last few days.

In Ubuntu I had to go into about:config and change permissions on Some parameters explained in the FireFox and HTML5 search.

On my Windows/FireFox computer I set up HTML5 back in May and I didn't have any trouble with it.
Yes with Flash the "always" doesn't work. You have to approve it every time.
The big secret for the future is to concentrate on getting HTML5 setup to work in your computer and to migrate away from Shock Wave Flash (SWF). Adobe is not interested in SWF, You Tube has already changed over to HTML5 from SWF but the new videos are backwards compatible and will run on Shock Wave Flash if you can get it unblocked.

Chrome, Chromium, and Explorer are already HTML5?

If you are running the Ubuntu 14-04 operating system and the default FireFox, it is beyond the ability of many users to get HTML5 unblocked?

It is not so much trouble with Windows and FireFox.

Don't forget that it doesn't hurt to set HTML5 as the default in YouTube?
Depends on: 1184140
(In reply to winning from comment #58)
> The big secret for the future is to concentrate on getting HTML5 setup to
> work in your computer and to migrate away from Shock Wave Flash (SWF). Adobe
> is not interested in SWF, You Tube has already changed over to HTML5 from
> SWF but the new videos are backwards compatible and will run on Shock Wave
> Flash if you can get it unblocked.
> 
> Chrome, Chromium, and Explorer are already HTML5?
> 
> If you are running the Ubuntu 14-04 operating system and the default
> FireFox, it is beyond the ability of many users to get HTML5 unblocked?
> 
> It is not so much trouble with Windows and FireFox.
> 
> Don't forget that it doesn't hurt to set HTML5 as the default in YouTube?

There's no unblocking to be done. Every YouTube user can choose their preferred player here. https://www.youtube.com/html5 

While I completely agree that Flash is well on its way out, it's been my experience that in YouTube specifically, H264 playback is far from optimized. It's no problem using HTML5, it's just that even the outdated 11.2 + hardware rendering gives me better performance in YouTube than their native HTML5 player. The margin is not big, and while it has definitely decreased over the years, it's definitely there. This is valid for me across all five systems at home, some with older AMD CPUs, even on the i7 desktop. I imagine there's still some work to be done. After all, YouTube still uses Flash as the default playback method. Google themselves choose to package flash with their browser.

When you think about it, in a time when plugins are on their way out, PPAPI was created, and its major role so far seems to be to get Flash for Chrome. The fact is, there is still some backward compatibility to consider. There needs to be a buffer period. 

A lot of current functionality has been broke because of the way the block was implemented. I'd say that's the issue at hand. Don't believe there's any debate as to where we're headed  in the grand scheme of things ;)
Good post
(In reply to winning from comment #60)
> Good post

Thanks. Just wish I'd proofread before posting:D Incidentally, A beta update for the Windows version of Flash was just announced in Adobe's Labs RSS feed. There's somebody awake in there, apparently. http://blogs.adobe.com/labs/archives/2015/07/updated-flash-player-18-betas-available-on-adobe-labs-4.html
Regarding using Youtube in HTML5 mode:
Linux still has the 360p problem that keeps appearing and disappearing for me (same as described here: https://productforums.google.com/forum/#!topic/youtube/ng1GIC3EI5o and in many other places)

Specifically, HTML5 on Linux doesn't work since there's no H264 nor MSE...
(In reply to bahamut00 from comment #53)
> Created attachment 8634327 [details]
> "Activate the plugin" won't work
> 
> (In reply to winning from comment #52)
> > In my case I was able to fix HTML5 to where it would work and in most cases
> > it runs the videos without any hassle. I had to go into about:config and
> > change several types to true instead of false.
> 

IMHO most users easily become lost trying do this. 

Need is 

   (a) Firefox to automatically select use of HTML5,  
   (b) wide campaign encourage media suppliers provide HTML5 outputs, 
   (c) ensure all users know how to ensure HTML5 is working for them. 




    ---No further comment---


> Is there an about:config tuning where I can bypass the Firefox
> plugin-outdated rules?
> 
> > In the videos that will not run on HTML5, 
> > there is the "-" where the "X" was in the middle of the video screen at one
> > time.
> > Right under the "-" there is the "Activate" box. This box leads one to
> > believe that you click on activate for flash to work but you click on the
> > "-". You must be to the update point of having the "-"?
> 
> You mean the "no way" sign?
> 
> > Then you have the choice for permission to run once or always.
> 
> Nope. Nothing happens at all.
> 
> > I hope this makes sense to those of us that are challenged by this fiasco?
> 
> Nope.
(In reply to George Kruchinin from comment #49)
> I'm new to this,can anyone tell me how to stop bugzilla from sending every
> post to my email.I would appreciate any help.Thanks 
> George

Whilst signed in to bugzilla look at the main details towards the top on the right
> Ignore Bug Mail: []	(never email me about this bug) 
Use that tick box & then click on [save changes].
Or as a heavy use of bugzilla needing to fine tune peferences use:
> https://bugzilla.mozilla.org/userprefs.cgi?tab=email

Conversely those wishing to follow the bug progress will by default be added to the cc list if they click on [save changes] as the cc box is ticked by default.
New users of bugzilla may also be interested to note you may register interest without posting by voting for a bug. Please see:
> https://bugzilla.mozilla.org/page.cgi?id=voting.html
and
> https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
Part of the problem here appears to be a disconnect between the information presented in about:addons/Plugins (More information) versus that found in about:plugins which is where one finds the Status as STATE_VULNERABLE_NO_UPDATE.  If one follows the links from about:addons/Plugins/More information/plugin check page, one finds only that the plugin is up-to-date, but not that it is vulnerable without an update.  I believe the average user is going to find the information in about:addons before checkout about:plugins.

My $0.02: Adobe doesn't care about linux users.  Not that it surprises me, but they've seriously tarnished an already tarnished brand by not continuing support for the linux version of the plugin.  Time to move on but chrome's enabling of swf by embedding its licensed version of flash in its browser doesn't help.
11.2.202.491 installer was pushed to the Ubuntu repositories. I can confirm the plugin is no longer blocked.
As of this minute, I have installed two SWF updates in Linux since it was blocked on the 13th. And SWF is still blocked in Linux. I moved on to HTML5 and avoid all the frustration, misinformation, and lack of information created by whoever is responsible for this fiasco at FireFox.

The fact that SWF is blocked is not so much the problem as the confusion, lack of a solution, and FireFox just blocked it! - without a solution. Not Firefox's problem? But it is Firefox's problem in the long run! It punishes the users more than it does Adobe. Adobe could care less?

I suspect that Linux users are on the way to Chromium and forget all this Firefox menagerie?
Vadim, any idea when it will appear as an update?
It's already appearedon in Ubuntu. I've updated all three of my Ubuntu boxes (one XUbuntu). Two 14.10 and one 15.04. Both Firefox 39 and Seamonkey 2.33.1 register the 11.2.202.491 security update as up-to-date and there is no blocking (11.2.202.481 was the blocked version). I have no idea whether it has been pushed to other distribution repositories, but it is definitely available here https://get.adobe.com/flashplayer/.
For some reason (491) was blocked in my computer. You go to SYNAPTIC and it said that 491 was loaded but you go to FireFox and it said I had 481.

So I uninstalled the 491 loader and re-installed it and now Firefox says I have 491 and everything is unlocked. What a SNAFU
(In reply to winning from comment #70)
> For some reason (491) was blocked in my computer. You go to SYNAPTIC and it
> said that 491 was loaded but you go to FireFox and it said I had 481.
> 
> So I uninstalled the 491 loader and re-installed it and now Firefox says I
> have 491 and everything is unlocked. What a SNAFU

Could happen if you updated while the browser was open. The pluginreg.dat file could get corrupted that way. But yeah, 491 is fine  ...(well, for now :D)
(In reply to winning from comment #67)
> As of this minute, I have installed two SWF updates in Linux since it was
> blocked on the 13th. And SWF is still blocked in Linux. I moved on to HTML5
> and avoid all the frustration, misinformation, and lack of information
> created by whoever is responsible for this fiasco at FireFox.

Then both Adobe and Mozilla/Firefox have succeeded in your case as we all want Flash/SWF to die abnd be replaced with HTML5 instead. Thanks for switching.
Fedora 21 now has .491 -- and adobe test page (and another random Flash version tester) say my version is now .491
But plugincheck page still says it's .481 and so does Firefox's plugins page
I've already tried removing and reinstalling the plugin with yum.. no effect


Shockwave Flash

    File: libflashplayer.so
    Path: /usr/lib64/flash-plugin/libflashplayer.so
    Version: 11.2.202.481
    State: Enabled (STATE_VULNERABLE_NO_UPDATE)
    Shockwave Flash 11.2 r202

MIME Type	Description	Suffixes
application/x-shockwave-flash	Shockwave Flash	swf
application/futuresplash	FutureSplash Player	spl
(In reply to Konstantin Svist from comment #73)
> Fedora 21 now has .491 -- and adobe test page (and another random Flash
> version tester) say my version is now .491
> But plugincheck page still says it's .481 and so does Firefox's plugins page
> I've already tried removing and reinstalling the plugin with yum.. no effect
> 
> 
> Shockwave Flash
> 
>     File: libflashplayer.so
>     Path: /usr/lib64/flash-plugin/libflashplayer.so
>     Version: 11.2.202.481
>     State: Enabled (STATE_VULNERABLE_NO_UPDATE)
>     Shockwave Flash 11.2 r202
> 
> MIME Type	Description	Suffixes
> application/x-shockwave-flash	Shockwave Flash	swf
> application/futuresplash	FutureSplash Player	spl

Something similiar has popped up before, I think. Try closing FF, deleting pluginreg.dat in your profile dir. It will be genereted once you start the browser again. See if that helps?
That did it, thanks!
I did restart Firefox after installing the update, but during the update it was still running.
I think this notice/workaround should be added to the plugindetect page. If it doesn't make sense to fix it automatically, there should be a note for the user on how to fix it...
(In reply to Konstantin Svist from comment #75)
> That did it, thanks!
> I did restart Firefox after installing the update, but during the update it
> was still running.
> I think this notice/workaround should be added to the plugindetect page. If
> it doesn't make sense to fix it automatically, there should be a note for
> the user on how to fix it...

Don't quote me on this. But I think it was sticky in an LQ thread a while back ...or somewhere. I'm sure it could be addressed internally. It makes sense to have a mechanism that checks against integrity or locks the file or something. Also, we're really stretching the thread at this point, aren't we :D ...
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.