Closed Bug 1214459 Opened 10 years ago Closed 10 years ago

Blocklist vulnerable versions of Flash Player plugin (19.0.0.207 and lower)

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: kjozwiak, Assigned: jorgev)

References

Details

New versions of the Flash Player plugin have been released to address several critical vulnerabilities: https://helpx.adobe.com/security/products/flash-player/apsb15-25.html Despite the recent patch, it seems there's still an unpatched zero-day that's exploiting users. Adobe is currently investigating but there has been no confirmation. - http://www.securityweek.com/russia-linked-pawn-storm-attackers-exploiting-new-adobe-flash-zero-day Affected Versions: - Adobe Flash Player Desktop Runtime 19.0.0.185 and earlier (Win/OSX) - Adobe Flash Player Extended Support Release 18.0.0.241 and earlier (Win/OSX) - Adobe Flash Player 11.2.202.521 and earlier (Linux) I created the bug just in case but I'm not sure what we should do here. Should we start the process for the blocklist or wait to see what Adobe does relating to this alleged zero-day.
The "good" versions are 19.0.0.207 (mac/win) 18.0.0.252 (mac/win esr) 11.2.202.535 (linux) Blocking the currently obsolete version will not protect users from the known unfixed exploits, and I haven't seen any claims that the vulnerabilities Adobe just fixed are being exploited. From the description in the SecurityWeek article these appear to be targeted attacks rather than widespread.
From Trend Micro's Brooks Li, Feike Hacquebord, and Peter Pi: "Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207." http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
So it sounds like it's best to wait for the updates that fix the zero-day before we take any action here.
Here's the newest advisory from Flash: * https://helpx.adobe.com/security/products/flash-player/apsa15-05.html Should we create a new bug and close this one?
Once the new updates are available, I think we should morph this bug to block the affected versions.
Blocks: 1214807
Adobe's latest update, just released, fixes the 0day and two more previously unknown vulnerabilities. * https://helpx.adobe.com/security/products/flash-player/apsb15-27.html Affected Versions: 19.0.0.207 and earlier - Windows and Macintosh 18.0.0.252 and earlier - Windows and Macintosh 11.2.202.535 and earlier - Linux GOOD Versions: 19.0.0.226 - Windows and Macintosh 18.0.0.255 - Windows and Macintosh 11.2.202.540 - Linux Are we all set to update the bug and blocklist the affected versions?
Flags: needinfo?(jorge)
Summary: Blocklist vulnerable versions of Flash Player plugin (19.0.0.185 and lower) → Blocklist vulnerable versions of Flash Player plugin (19.0.0.207 and lower)
The blocks are staged now: Flash Player Plugin on Linux 11.2.202.509 to 11.2.202.539 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p785 Flash Player Plugin 18.0.0.233 to 18.0.0.254 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p786 Flash Player Plugin 19.0 to 19.0.0.225 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p787 They won't be deployed to production until probably mid next week.
Assignee: nobody → jorge
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
Keywords: qawanted
OSX 10.11 x64 ============= File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 19.0.0.207 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 19.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4 -> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-03-02-27-mozilla-central/ File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.252 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4 -> Build used: https://archive.mozilla.org/pub/firefox/releases/42.0b7/ File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 19.0.0.226 State: Enabled Shockwave Flash 19.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0 -> Build used: https://archive.mozilla.org/pub/firefox/releases/41.0.2/ Win 10 x64 (VM) =============== File: NPSWF32_19_0_0_207.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_207.dll Version: 19.0.0.207 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 19.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4 -> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-00-40-47-mozilla-aurora/ File: NPSWF32_18_0_0_252.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_252.dll Version: 18.0.0.252 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4 -> Build used: https://archive.mozilla.org/pub/firefox/releases/42.0b7/ File: NPSWF32_19_0_0_226.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll Version: 19.0.0.226 State: Enabled Shockwave Flash 19.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0 -> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-03-02-27-mozilla-central/ File: NPSWF32_18_0_0_255.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_255.dll Version: 18.0.0.255 State: Enabled Shockwave Flash 18.0 r0 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0 -> Build used: https://archive.mozilla.org/pub/firefox/releases/41.0.2/ Ubuntu 14.04.3 x64 (VM) ======================= File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.535 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 4 -> Build used: https://archive.mozilla.org/pub/firefox/releases/41.0.2/ File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.540 State: Enabled Shockwave Flash 11.2 r202 -> Checked Logging: Blocklist state for Shockwave Flash changed from 0 to 0 -> Build used: https://archive.mozilla.org/pub/firefox/nightly/2015-10-19-03-02-27-mozilla-central/
Flags: needinfo?(kjozwiak)
Keywords: qawanted
The blocks are now live: Flash Player Plugin on Linux 11.2.202.509 to 11.2.202.539 (click-to-play) https://addons.mozilla.org/blocked/p1044 Flash Player Plugin 18.0.0.233 to 18.0.0.254 (click-to-play) https://addons.mozilla.org/blocked/p1046 Flash Player Plugin 19.0 to 19.0.0.225 (click-to-play) https://addons.mozilla.org/blocked/p1048
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 44.3
Is Flash still being blocked? Flash objects are still asking to be allowed or continue to be blocked. How do I resolve this Flash issue?
> Is Flash still being blocked? Flash objects are still asking to be allowed > or continue to be blocked. How do I resolve this Flash issue? Firefox shouldn't be blocking flash by default if you have the latest version installed (flash 19.0.0.226). In your URL bar, type in "about:addons" and select "Plugins". Is your flash marked as vulnerable? What version are you currently using? You can also check about:plugins and look under "Shockwave Flash", should see something similar to: >> File: NPSWF32_19_0_0_226.dll >> Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll >> Version: 19.0.0.226 >> State: Enabled >> Shockwave Flash 19.0 r0
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.