Closed Bug 1241237 Opened 9 years ago Closed 9 years ago

Blocklist vulnerable versions of Silverlight plugin (5.1.41105.0 and lower)

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: cpeterson, Assigned: jorgev)

References

Details

https://technet.microsoft.com/en-us/library/security/MS16-006 What versions of Microsoft Silverlight 5 are affected by the vulnerabilities? Microsoft Silverlight build 5.1.41212.0, which was the current build of Microsoft Silverlight as of when this bulletin was first released (January 14, 2016), addresses the vulnerabilities and is not affected. Builds of Microsoft Silverlight previous to 5.1.41212.0 are affected. According to Wikipedia, the previous version of Silverlight is 5.1.41105.0 (released 2015-12-08). https://en.wikipedia.org/wiki/Microsoft_Silverlight_version_history#Release_history
The block is staged: https://addons-dev.allizom.org/blocked/p803 Kamil, can you please give this a look?
Flags: needinfo?(kjozwiak)
* http://www.microsoft.com/getsilverlight/locale/en-us/html/Microsoft%20Silverlight%20Release%20History.htm ** https://www.microsoft.com/en-us/download/details.aspx?id=50349 I've also created the following entry in the blocklisting wiki: * https://wiki.mozilla.org/Blocklisting/Testing#Silverlight_.28Downloading.29 Windows 10 Pro x64 VM: ====================== File: npctrl.dll Path: c:\Program Files (x86)\Microsoft Silverlight\5.1.41105.0\npctrl.dll Version: 5.1.41105.0 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) 5.1.41105.0 * Build Used: http://archive.mozilla.org/pub/firefox/nightly/2016/01/2016-01-21-03-02-08-mozilla-central/ * Browser Console: Blocklist state for Silverlight Plug-In changed from 0 to 4 * ensured that the plugin appeared as vulnerable under about:addons * ensured "Always Active" has been disabled under about:addons * ensured "Update Now" link pointed to /p803/ * ensured the following websites have been blocked: ** https://www.microsoft.com/silverlight/iis-smooth-streaming/demo/ ** https://www.microsoft.com/silverlight/skinning-and-styling/demo/ Updated the plugin to the following version: File: npctrl.dll Path: c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll Version: 5.1.41212.0 State: Enabled 5.1.41212.0 * ensured that the update to 5.1.41212.0 worked correctly * ensured that Silverlight doesn't appear vulnerable under about:addons * ensured that the following website wasn't being blocked anymore: ** https://www.microsoft.com/silverlight/iis-smooth-streaming/demo/ ** https://www.microsoft.com/silverlight/skinning-and-styling/demo/ OSX 10.11.2 x64: ================ File: Silverlight.plugin Path: /Library/Internet Plug-Ins/Silverlight.plugin Version: 5.1.41105.0 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) 5.1.41105.0 * Build Used: https://archive.mozilla.org/pub/firefox/candidates/44.0-candidates/build2/mac/en-US/ * Browser Console: Blocklist state for Silverlight Plug-In changed from 0 to 4 * ensured that the plugin appeared as vulnerable under about:addons * ensured "Always Active" has been disabled under about:addons * ensured "Update Now" link pointed to /p803/ * ensured the following website was blocked: ** https://www.microsoft.com/silverlight/iis-smooth-streaming/demo/ ** https://www.microsoft.com/silverlight/skinning-and-styling/demo/ Updated the plugin to the following version: File: Silverlight.plugin Path: /Library/Internet Plug-Ins/Silverlight.plugin Version: 5.1.41212.0 State: Enabled 5.1.41212.0 * ensured that the update to 5.1.41212.0 worked correctly * ensured that Silverlight doesn't appaer vulnerable under about:addons * ensured that the following website wasn't being blocked anymore: ** https://www.microsoft.com/silverlight/iis-smooth-streaming/demo/ ** https://www.microsoft.com/silverlight/skinning-and-styling/demo/
Flags: needinfo?(kjozwiak)
When going through the above testing, I found the following potential issues: Potential Issues: * Once I updated 5.1.41105.0 to 5.1.41212.0, the plugin was set to "Ask to Activate" rather than "Always Active" * Silverlight doesn't seem to be working under non-e10s tabs/windows. The tabs/windows are always displaying the "Install Microsoft Silverlight" banner. Let me know if these are expected or already known issues.. if not, I'll create new bugs and investigate further.
(In reply to Kamil Jozwiak [:kjozwiak] from comment #3) > * Once I updated 5.1.41105.0 to 5.1.41212.0, the plugin was set to "Ask to > Activate" rather than "Always Active" This is expected because only Flash defaults to "Always Active". > * Silverlight doesn't seem to be working under non-e10s tabs/windows. The > tabs/windows are always displaying the "Install Microsoft Silverlight" > banner. That sounds like a bug, so please file it. It shouldn't block this bug, as far as I can tell.
> That sounds like a bug, so please file it. It shouldn't block this bug, as > far as I can tell. Agreed, the issue shouldn't block the release of the blocklist.. Created bug # 1242021.
We're discussing the timing for this block, to make sure the user impact is minimal.
The block has been pushed now for Windows: https://addons.mozilla.org/firefox/blocked/p1120
The block has been updated to extend to Mac OS.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
I LightSwitch developer. For desktop applications LightSwitch uses Silverlight technology. As a result, I have to urge its customers to abandon FireFox ???
Only old versions of Silverlight are blocked. The current version of Silverlight (5.1.41212.0) works fine and is not blocked.
And _this_ is why we blocklisted old Silverlight: http://arstechnica.com/security/2016/02/malicious-websites-exploit-silverlight-bug-that-can-pwn-macs-and-windows/ Angler is a "popular" exploit pack that pops up in malvertising attacks on otherwise-trusted sites.
Köszönöm hogy blokkolták a silverlight 5.1.30514.0 as pluginját ebből kifolyólag kb 1,5 millió Ft-s az az másfél millió munkától estem el ma. Frissítés még a microsoftnál a láthatáron sincsen . Mit találtak hogy ezt tették és miért csinálták ezt? Még filmeket se lehet nézni emiatt ez a plugin a beágyazott *.mp4 formátumu web tartalmak hoz is kell emiatt buktam el ezt a weblapos fejlesztési dolgot.
adax01, Firefox only blocks old versions of Silverlight. The current version of Silverlight available on microsoft.com is not blocked and should play video correctly.
win xp gépen ezt írta leg újabb verziónak silverlight 5.1.30514.0 a win7 en is blokkolva volt a silverlight win 10 alatt is néztem 32 illetve 64 bit alatt is. Remélem hogy a silverlight 5.1.41212.0 verziót nem blokkoljátok.
So the problem is that Microsoft does not offer Silverlight 5.1.41212.0 for Windows XP? I did not know that. That would be a problem. I see that Microsoft no longer lists Windows XP on the Silverlight web site. Many Firefox users run Windows XP. I will ask if we can allow Silverlight 5.1.30514.0 on Windows XP. https://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx
I have been told that users can still "click to activate" a blocked plugin. A Windows XP user with Silverlight 5.1.30514.0 should be able to "click to activate" and proceed to use Silverlight.
thx már működik
Product: addons.mozilla.org → Toolkit
btw, I just installed Silverlight on a clean Windows XP VM and got Silverlight 5.1.41212.0, not 5.1.30514.0.
I also tried downloading Silverlight via my XP VM's and got the following results while using the followng builds: * https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-09-03-04-19-mozilla-central/ * https://archive.mozilla.org/pub/firefox/releases/45.0/win32/en-US/ Used the following links to download Silverlight: * https://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx Win XP SP2 x64: * received 5.1.40416.0 (which is vulnerable but still can be used via "Allow Now") ** via the Silverlight website --> The version of Silverlight installed is: Silverlight 5 (5.1.40416.0) Win XP SP2 x86: * * received 5.1.30514.0 (which is vulnerable but still can be used via "Allow Now") ** The version of Silverlight installed is: Silverlight 5 (5.1.30514.0) Win XP SP3 x86: * received 5.1.30514.0 (which is vulnerable but still can be used via "Allow Now") ** via the Silverlight website --> The version of Silverlight installed is: Silverlight 5 (5.1.30514.0)
You need to log in before you can comment on or make changes to this bug.