Blocklist flash 18.0.0.232

RESOLVED FIXED in 44.2

Status

()

RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: kjozwiak, Assigned: jorgev)

Tracking

unspecified
44.2
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

3 years ago
Adobe has released an advisory for several vulnerabilities in Adobe Flash Player 18.0.0.232 and earlier versions for Windows, Macintosh and Linux: 
* https://helpx.adobe.com/security/products/flash-player/apsb15-23.html

- Adobe Flash Player Desktop Runtime - 19.0.0.185 [Windows and Macintosh]
- Adobe Flash Player Extended Support Release - 18.0.0.241 [Windows and Macintosh]
- Adobe Flash Player for Linux - 11.2.202.521 [Linux]
(Assignee)

Comment 1

3 years ago
Dan, what do you think about the severity of these vulns?
Flags: needinfo?(dveditz)
(Reporter)

Comment 2

3 years ago
The ones listed in comment # 0 are the new versions, the following are the vulnerable versions:

- Adobe Flash Player Desktop Runtime - 18.0.0.232 and earlier [Windows and Macintosh]
- Adobe Flash Player Extended Support Release - 18.0.0.232 and earlier [Windows and Macintosh]
- Adobe Flash Player for Linux- 11.2.202.508 and earlier [Linux]
They're as severe as they get (in theory) but I haven't heard of any reports of exploits in the wild yet. We definitey need to make sure the plugincheck page has it right (seems to) but I think it's premature to click2play flash yet given how disruptive it is. Keep an eye on the version uptake and reports of exploits. Maybe next week would be better for click2play (and not yet at the "vulnerable" level, just "outdated").

We do need to address the blocklist of the old 13.x ESR branch though: bug 1193001.
Flags: needinfo?(dveditz)
(Assignee)

Comment 4

3 years ago
The blocks are now staged. Kamil, please give them a look:

Flash Player Plugin on Linux 11.2.202.482 to 11.2.202.508 (click-to-play)
https://addons-dev.allizom.org/firefox/blocked/p784

Flash Player Plugin 18.0.0.204 to 18.0.0.232 (click-to-play)
https://addons-dev.allizom.org/firefox/blocked/p782

As noted in comment #3, we don't plan to deploy them yet, but probably will next week or if a serious exploit comes up.
Assignee: nobody → jorge
Flags: needinfo?(kjozwiak)
(Reporter)

Comment 5

3 years ago
Windows 10 x64 (VM)
===================

File: NPSWF32_18_0_0_232.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll
Version: 18.0.0.232
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-03-02-04-mozilla-central/

File: NPSWF32_18_0_0_209.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll
Version: 18.0.0.209
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/

File: NPSWF32_18_0_0_241.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_241.dll
Version: 18.0.0.241
State: Enabled
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/

File: NPSWF32_19_0_0_185.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll
Version: 19.0.0.185
State: Enabled
Shockwave Flash 19.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-00-40-45-mozilla-aurora/

Win 8.1 x64 (VM)
================

File: NPSWF32_18_0_0_232.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll
Version: 18.0.0.232
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/

File: NPSWF32_18_0_0_209.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll
Version: 18.0.0.209
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/

File: NPSWF32_18_0_0_241.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_241.dll
Version: 18.0.0.241
State: Enabled
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-03-02-04-mozilla-central/

File: NPSWF32_19_0_0_185.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll
Version: 19.0.0.185
State: Enabled
Shockwave Flash 19.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-00-40-45-mozilla-aurora/

OSX 10.10.5 x64
===============

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.232
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-03-02-04-mozilla-central/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.209
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-00-40-45-mozilla-aurora/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.241
State: Enabled
Shockwave Flash 18.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 19.0.0.185
State: Enabled
Shockwave Flash 19.0 r0
-> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/

Ubuntu 14.04.3 x64 (VM)
=======================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.508
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-03-02-04-mozilla-central/

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.491
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202
-> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-22-00-40-45-mozilla-aurora/

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.521
State: Enabled
Shockwave Flash 11.2 r202
-> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/
Flags: needinfo?(kjozwiak)
(Assignee)

Comment 6

3 years ago
The blocks are now live:

Flash Player Plugin 18.0.0.204 to 18.0.0.232 (click-to-play)
https://addons.mozilla.org/blocked/p1026

Flash Player Plugin on Linux 11.2.202.482 to 11.2.202.508 (click-to-play)
https://addons.mozilla.org/blocked/p1028
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 44.2
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.