Closed Bug 1286972 Opened 8 years ago Closed 8 years ago

Plugin block request: Adobe Reader 15.016.20045, 15.006.30174, 11.0.16

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: guigs, Assigned: jorgev, NeedInfo)

References

Details

(Whiteboard: [plugin]) 

Plugin name: 
Plugin versions to block: 
Applications, versions, and platforms affected: 
Block severity: (hard/soft)

How does this plugin appear in about:plugins?
    File: AdobePDFViewerNPAPI.plugin, 
    File: 
    Version: 15.016.20045, 15.016.20039, 15.016.20039.54196, 15.016.20039, 11.0.16
    Description: 

Homepage and other references and contact info: 
https://helpx.adobe.com/security/products/acrobat/apsb16-26.html
Can someone confirm if the Adobe Reader plugin on Windows still uses this file: nppdf32.dll?
Assignee: nobody → jorge
Flags: needinfo?(rmcguigan)
Flags: needinfo?(kjozwiak)
Component: Security → Blocklisting
Product: addons.mozilla.org → Toolkit
(In reply to Jorge Villalobos [:jorgev] from comment #1)
> Can someone confirm if the Adobe Reader plugin on Windows still uses this
> file: nppdf32.dll?

Windows 10 x64 VM:
==================

* installed Adobe Reader 2015.017.20050
* using fx50.0a1, buildId: 20160720030208, changeset: ed8e23b5e0c7

File: nppdf32.dll
Path: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll
Version: 15.17.20050.61080
State: Enabled
Adobe PDF Plug-In For Firefox and Netscape 15.17.20050

Windows 8.1 x64 VM:
====================

* installed Adobe Reader 2015.017.20050
* using fx50.0a1, buildId: 20160720030208, changeset: ed8e23b5e0c7

File: nppdf32.dll
Path: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll
Version: 15.17.20050.61080
State: Enabled
Adobe PDF Plug-In For Firefox and Netscape 15.17.20050

Windows 7 x64 VM:
==================

* installed Adobe Reader 2015.017.20050
* using fx50.0a1, buildId: 20160720030208, changeset: ed8e23b5e0c7

File: nppdf32.dll
Path: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll
Version: 15.17.20050.61080
State: Enabled
Adobe PDF Plug-In For Firefox and Netscape 15.17.20050
Flags: needinfo?(kjozwiak)
Thanks. This block is now live: https://addons.mozilla.org/blocked/p1246
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(rmcguigan)
Resolution: --- → FIXED
I've had reports of users using Adobe Reader 11.0.17 being hit by, I think, this block.  Adobe Reader 11.0.17 is the latest in the Adobe Reader XI branch and is still under security support.  I don't believe it should be blocked: can this be fixed, please?
We have also a lot of complaints that 11.0.17 is now blocked. Adobe Reader 11 is still supported until October 2017 and is probably the main version used in enterprise environments. This version should definitely not be blocked.
11.0.17 is now blocked for me, too.
Please update blocklist.xml as soon as possible.
I note that bug 1288374 has been raised specifically asking for 11.0.17 to be considered safe.
Depends on: 1288374
No longer depends on: 1288374
Sorry about that. I've split the block in two now:

Adobe Reader 12 to 15.016.20045
https://addons.mozilla.org/blocked/p1247

Adobe Reader 10.1.6 to 11.0.16 
https://addons.mozilla.org/blocked/p1246
i think the block may have to be further split up since there is also a classic track of the acrobat plugin which still receives updates - this is how the updated version of the classic track shows up under about:plugins:

Adobe Acrobat

    File: nppdf32.dll,nppdf32.dll
    Path: C:\Program Files (x86)\Adobe\Acrobat Reader 2015\Reader\browser\nppdf32.dll,C:\Program Files (x86)\Adobe\Acrobat Reader 2015\Reader\AIR\nppdf32.dll
    Version: 15.6.30198.61077
    State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
    Adobe PDF Plug-In For Firefox and Netscape 15.6.30198
Flags: needinfo?(jorge)
Ugh, that's confusing. And this versioning system doesn't help at all... http://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/whatsnewdc.html#dc-versioning
Flags: needinfo?(jorge)
I just blocked the latest affected versions, since now I don't know if normal version ranges apply to their versioning system.

Adobe Reader (Continuous) 15.016.20045
https://addons.mozilla.org/blocked/p1250

Adobe Reader (Classic) 15.006.30174 
https://addons.mozilla.org/blocked/p1247

Please ni :eviljeff if more updates are needed here. I'll be unavailable in the coming days.
We're getting the blocked message on Adobe Acrobat DC Pro version 2015.006.30198 .

Reader and Acrobat X and below are EOL.

There's Reader XI and Reader XI MUI.
There's Acrobat XI (Pro and Standard).

All of these should have the same version number.  11.0.17 is the latest.  I have no idea if the plugin is the same across all three.

There's Adobe Acrobat Reader MUI DC Classic, Adobe Acrobat Reader DC Continuous, and Adobe Acrobat Reader MUI DC Continuous.

There's Adobe Acrobat DC (Pro and Standard) Classic, and Adobe Acrobat DC (Pro and Standard) Continuous.

All of the "Continuous" track builds should have the same version number.  2015.017.20050 (or 15.017.20050 depending on where you look) is the latest.  I have no idea if the plugin is the same across all three.

All of the "Classic" track builds should have the same version number.  2015.006.30198 (or 15.006.30198 depending on where you look) is the latest.  I have no idea if the plugin is the same across both.

2015 is the the release year for the product line itself.  The "DC" line was released in 2015 and may or may not be replaced by a "2016" or "2017" version of the product that may or may not also be branded "DC".  It's dumb.

The second tuple (017 and 006) is part of a version number.

The first 2 digits of the third tuple denote the "Classic" track or the "Continuous" track.  30 = Classic, 20 = Continuous.  You must consider these two "tracks" separately, as they are not updated at the same time or with the same changes.

The last 3 digits of the third tuple are also part of a version number.

There is a fourth tuple that is not normally exposed, but I've never seen 2 different instances of this number for the same a.b.c version.

Adobe's own documentation is a mess, inconsistent, and contradictory.  After managing a dozen different versions of their products, I've submitted many error reports regarding their documentation to them.  They do not care.  Two examples relating to their versioning scheme for the "DC" line:

"In it's generic form, the version number will appear as major.minor.minor_minor."

This is clearly untrue based on the whole classic/continuous **** being prepended to the third tuple, and the hidden fourth tuple.  If the second tuple of the two tracks happened to line up (and we can't be guaranteed that they won't) then the third tuple cannot be treated as a simple "minor_minor" number for comparison sake.  You must take into account the two separate tracks and must parse the first 2 digits of the third tuple as the second step (the first being identifying the product line itself by the first tuple).  The third step would be to look at the second tuple, and the fourth step would be to look at the last 3 digits of the third tuple.

"The year-based version number is not the same as the Classic track name. While the Classic track version begins with 15 and the current track version is 2015, the track name only changes at each major release–not every year. The version number increments every year."

Depending on where you look, the reported version begins with "2015." or "15.".  The version number is not year-based in either case, as these releases came in 2016.  I don't know what "current track" refers to, but I assume they're trying to say that 2015 (or 15) doesn't mean the version was built that year.  This is true, but is directly conflicting with their previous statement.  Of course, they go one to say that the version number increments every year.  It doesn't.


Bottom line - you should treat these version numbers as follows:

If you have 15.b.c.d or 2015.b.c.d or 15.b.c or 2015.b.c
Change it to 15.LEFT(c,2).b.RIGHT(c,3)

Then you can compare like any sane version number.
can you confirm Adobe Acrobat DC Pro version 2015.006.30198 (15.006.30198) is still incorrectly blocked? - the blocklist has caching so you might have been getting the previous overly wider blocks.
Flags: needinfo?(bw_bloodletter)
Adobe Acrobat Plugin 11.0.17 is still being blocked when displaying pdfs in a browser window.  The Plugin Check page is also showing it as "outdated".

-Joel
(In reply to Andrew Williamson [:eviljeff] from comment #14)
> can you confirm Adobe Acrobat DC Pro version 2015.006.30198 (15.006.30198)
> is still incorrectly blocked? - the blocklist has caching so you might have
> been getting the previous overly wider blocks.

I can confirm that it's still being blocked after closing Firefox and reopening.
Is there a specific way to clear the blocklist cache?
(In reply to Anon from comment #16)
> (In reply to Andrew Williamson [:eviljeff] from comment #14)
> > can you confirm Adobe Acrobat DC Pro version 2015.006.30198 (15.006.30198)
> > is still incorrectly blocked? - the blocklist has caching so you might have
> > been getting the previous overly wider blocks.
> 
> I can confirm that it's still being blocked after closing Firefox and
> reopening.
> Is there a specific way to clear the blocklist cache?

https://wiki.mozilla.org/Blocklisting/Testing#Forcing_a_Blocklist_Ping describes a way but it's not straightforward so I didn't want to suggest it.  

We're attempting to replicate the issue ourselves.
It would also help if you try the following steps:

1) Close Firefox
2) Located your profile folder: https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
3) Delete the file named pluginreg.dat
4) Start Firefox again

The block should disappear (if you're using an up to date version), and shouldn't show up again. Let us know if this works or not.
I checked yesterday afternoon and the block was gone.  I didn't do anything to clear the cache.
This is now being blocked again for me. It was work/quit working/started working again and today it is no longer working. I use the Adobe Create PDF all the time and really would appreciate if Mozilla left this alone or allowed a user option to override.
Flags: needinfo?(jddog)
Flags: needinfo?(bw_bloodletter)
You need to log in before you can comment on or make changes to this bug.