Closed Bug 1193001 Opened 7 years ago Closed 7 years ago

Blocklist Flash 13.x after EOL (august 11, 2015)

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: dveditz, Assigned: jorgev)

Details

Adobe announced in May that the Adobe Flash extended support version will be transitioned from 13.x to 18.x on August 11, 2015.

http://blogs.adobe.com/flashplayer/2015/05/upcoming-changes-to-flash-players-extended-support-release-2.html

At some point after that the next flash exploits in the wild will not receive fixes on the 13.x branch and we will have to remove the blocklisting exception for that branch. I don't know of any such exploits, preparing.
The Flash 13.x branch has been unsupported and with known vulns since Aug 11, and additional vulns were published today (see bug 1206889). We need to mark this as "vulnerable" now, or at the very least out-of-date click to play. The current ESR is 18.0.0.241
Severity: normal → major
Flags: needinfo?(jorge)
Summary: Be prepared to blocklist Flash 13.x after EOL (august 11, 2015) → Blocklist Flash 13.x after EOL (august 11, 2015)
The block for the 13.* branch is now staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p780

Kamil, please give it a look. In terms of timing, this isn't urgent and I don't expect it to be deployed today (maybe tomorrow).
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
Win 10 x64 (VM):
================

File: NPSWF32_13_0_0_309.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_309.dll
Version: 13.0.0.309
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-24-03-02-31-mozilla-central/

File: NPSWF32_18_0_0_241.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_241.dll
Version: 18.0.0.241
State: Enabled
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/

Win 8.1 x64 (VM):
=================

File: NPSWF32_13_0_0_309.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_309.dll
Version: 13.0.0.309
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-25-00-40-22-mozilla-aurora/

File: NPSWF32_18_0_0_241.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_241.dll
Version: 18.0.0.241
State: Enabled
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/

OSX 10.10.5 x64:
================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 13.0.0.309
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-24-03-02-31-mozilla-central/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.241
State: Enabled
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/

Potential Issues:
=================

File: NPSWF32_13_0_0_302.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_302.dll
Version: 13.0.0.302
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/
-> Link: https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p944

File: NPSWF32_13_0_0_296.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll
Version: 13.0.0.296
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 13.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/
-> Link: https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940

Once I installed the above flash versions, they were automatically blocked without pinging the staging server which is expected. However they both pointed to older URLS (p944 & p940). Should both of those flash versions point to the new p780 link as per comment # 2?
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
p944 and p940 are in the production blocklist, not the staging one. It's possible that there's some stale data in your profile that points to the old blocks. Doesn't sound like a big problem anyway, though we should double-check once the blocks are pushed live.
Flags: needinfo?(jorge)
The block is now live. Please test and check that the blocklist URL is correct.

https://addons.mozilla.org/blocked/p1020
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 44.1
So it appears like the only version of flash that's currently pointing to p1020 is flash 13.0.0.309. All the other 13.* versions are pointing to other URL's. I tried force pinging the server several times to see if the URL would change, but they all stayed the same.

I think all the 13.* should be pointing to the p1020 URL? Jorge, is that the case?

OS's Used:

- Win 10 x64 (VM)
- OSX 10.10.5 x64

Results:
=======

* flash 13.0.0.292 (checked using the latest fx44)
** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p928
** Blocklist state for Shockwave Flash changed from 4 to 4

* flash  13.0.0.296 (checked with the latest fx41)
** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940
** Blocklist state for Shockwave Flash changed from 4 to 4

* flash 13.0.0.302 (checked with the latest fx42b1)
** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p944
** Blocklist state for Shockwave Flash changed from 4 to 4

* flash 13.0.0.309 (checked with the latest fx43)
** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p1020
** Blocklist state for Shockwave Flash changed from 0 to 4

* flash 18.0.0.241 (checked with the latest fx44)
** not being blocked as expected
Flags: needinfo?(jorge)
No, it depends in the order in which the blocks are evaluated. There are older blocks in the 13.* branch that could apply before the one introduced in this bug. I could remove the redundant ones, but that might cause more confusion.

As long as all versions are blocked, it should be okay.
Flags: needinfo?(jorge)
Looks like we're good :)
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.