Blocklist vulnerable versions of Flash Player plugin (19.0.0.207 and lower)

RESOLVED FIXED in 44.3

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: kjozwiak, Assigned: jorgev)

Tracking

unspecified
44.3
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
New versions of the Flash Player plugin have been released to address several critical vulnerabilities: https://helpx.adobe.com/security/products/flash-player/apsb15-25.html

Despite the recent patch, it seems there's still an unpatched zero-day that's exploiting users. Adobe is currently investigating but there has been no confirmation. 

- http://www.securityweek.com/russia-linked-pawn-storm-attackers-exploiting-new-adobe-flash-zero-day

Affected Versions:

- Adobe Flash Player Desktop Runtime 19.0.0.185 and earlier (Win/OSX)
- Adobe Flash Player Extended Support Release 18.0.0.241 and earlier (Win/OSX)
- Adobe Flash Player 11.2.202.521 and earlier (Linux)

I created the bug just in case but I'm not sure what we should do here. Should we start the process for the blocklist or wait to see what Adobe does relating to this alleged zero-day.
The "good" versions are
 19.0.0.207 (mac/win)
 18.0.0.252 (mac/win esr)
 11.2.202.535 (linux)

Blocking the currently obsolete version will not protect users from the known unfixed exploits, and I haven't seen any claims that the vulnerabilities Adobe just fixed are being exploited. From the description in the SecurityWeek article these appear to be targeted attacks rather than widespread.

Comment 2

2 years ago
From Trend Micro's Brooks Li, Feike Hacquebord, and Peter Pi:

"Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207."

http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
(Assignee)

Comment 3

2 years ago
So it sounds like it's best to wait for the updates that fix the zero-day before we take any action here.
(Reporter)

Comment 4

2 years ago
Here's the newest advisory from Flash:

* https://helpx.adobe.com/security/products/flash-player/apsa15-05.html

Should we create a new bug and close this one?
(Assignee)

Comment 5

2 years ago
Once the new updates are available, I think we should morph this bug to block the affected versions.

Updated

2 years ago
Blocks: 1214807

Comment 6

2 years ago
Adobe's latest update, just released, fixes the 0day and two more previously unknown vulnerabilities.

* https://helpx.adobe.com/security/products/flash-player/apsb15-27.html

Affected Versions:
19.0.0.207 and earlier - Windows and Macintosh
18.0.0.252 and earlier - Windows and Macintosh
11.2.202.535 and earlier - Linux

GOOD Versions:
19.0.0.226 - Windows and Macintosh
18.0.0.255 - Windows and Macintosh
11.2.202.540 - Linux

Are we all set to update the bug and blocklist the affected versions?
Flags: needinfo?(jorge)
(Reporter)

Updated

2 years ago
Summary: Blocklist vulnerable versions of Flash Player plugin (19.0.0.185 and lower) → Blocklist vulnerable versions of Flash Player plugin (19.0.0.207 and lower)
(Assignee)

Comment 7

2 years ago
The blocks are staged now:

Flash Player Plugin on Linux 11.2.202.509 to 11.2.202.539 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p785

Flash Player Plugin 18.0.0.233 to 18.0.0.254 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p786

Flash Player Plugin 19.0 to 19.0.0.225 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p787

They won't be deployed to production until probably mid next week.
Assignee: nobody → jorge
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
Keywords: qawanted
(Reporter)

Comment 8

2 years ago
OSX 10.11 x64
=============

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 19.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 19.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4
-> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-03-02-27-mozilla-central/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.252
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4
-> Build used: https://archive.mozilla.org/pub/firefox/releases/42.0b7/

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 19.0.0.226
State: Enabled
Shockwave Flash 19.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0
-> Build used: https://archive.mozilla.org/pub/firefox/releases/41.0.2/

Win 10 x64 (VM)
===============

File: NPSWF32_19_0_0_207.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_207.dll
Version: 19.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 19.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4
-> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-00-40-47-mozilla-aurora/

File: NPSWF32_18_0_0_252.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_252.dll
Version: 18.0.0.252
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4
-> Build used: https://archive.mozilla.org/pub/firefox/releases/42.0b7/

File: NPSWF32_19_0_0_226.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll
Version: 19.0.0.226
State: Enabled
Shockwave Flash 19.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0
-> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-03-02-27-mozilla-central/

File: NPSWF32_18_0_0_255.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_255.dll
Version: 18.0.0.255
State: Enabled
Shockwave Flash 18.0 r0
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0
-> Build used: https://archive.mozilla.org/pub/firefox/releases/41.0.2/

Ubuntu 14.04.3 x64 (VM)
=======================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.535
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4
-> Build used: https://archive.mozilla.org/pub/firefox/releases/41.0.2/

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.540
State: Enabled
Shockwave Flash 11.2 r202
-> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0
-> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-03-02-27-mozilla-central/
Flags: needinfo?(kjozwiak)
(Reporter)

Updated

2 years ago
Keywords: qawanted
(Assignee)

Comment 9

2 years ago
The blocks are now live:

Flash Player Plugin on Linux 11.2.202.509 to 11.2.202.539 (click-to-play) 
https://addons.mozilla.org/blocked/p1044

Flash Player Plugin 18.0.0.233 to 18.0.0.254 (click-to-play)
https://addons.mozilla.org/blocked/p1046

Flash Player Plugin 19.0 to 19.0.0.225 (click-to-play)
https://addons.mozilla.org/blocked/p1048
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 44.3

Comment 10

2 years ago
Is Flash still being blocked? Flash objects are still asking to be allowed or continue to be blocked. How do I resolve this Flash issue?
(Reporter)

Comment 11

2 years ago
> Is Flash still being blocked? Flash objects are still asking to be allowed
> or continue to be blocked. How do I resolve this Flash issue?

Firefox shouldn't be blocking flash by default if you have the latest version installed (flash 19.0.0.226). In your URL bar, type in "about:addons" and select "Plugins". Is your flash marked as vulnerable? What version are you currently using? You can also check about:plugins and look under "Shockwave Flash", should see something similar to:

>> File: NPSWF32_19_0_0_226.dll
>> Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll
>> Version: 19.0.0.226
>> State: Enabled
>> Shockwave Flash 19.0 r0
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.