Closed Bug 1302525 Opened 4 years ago Closed 4 years ago

Plugin block request: Adobe Flash Player 22.0.0.209, 22.0.0.211 and earlier, 18.0.0.366 and earlier

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: guigs, Assigned: eviljeff)

References

Details

(Whiteboard: [plugin])

Plugin name: Flash Player.plugin
Plugin versions to block: 22.0.0.209, 22.0.0.211 and earlier, 18.0.0.366 and earlier, 11.2.202.632 and earlier
Applications, versions, and platforms affected: 
Block severity: (hard

How does this plugin appear in about:plugins?
    File: 
    Version: 
    Description: 

    File: Flash Player.plugin
    Path: /Library/Internet Plug-Ins/Flash Player.plugin
    Version: 22.0.0.209
    State: Enabled
    Shockwave Flash 22.0 r0

    File: NPSWF32_22_0_0_209.dll
    Path: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll
    Version: 22.0.0.209
    State: Enabled
    Shockwave Flash 22.0 r0

    File: NPSWF32_22_0_0_209.dll
    Path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll
    Version: 22.0.0.209
    State: Enabled
    Shockwave Flash 22.0 r0

    File: NPSWF32_22_0_0_211.dll
    Path: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_211.dll
    Version: 22.0.0.211
    State: Enabled
    Shockwave Flash 22.0 r0

(don't have linux sorry)
Homepage and other references and contact info: 
https://helpx.adobe.com/security/products/flash-player/apsb16-29.html
Summary: Plugin block request: <plugin name> → Plugin block request: Adobe Flash Player 22.0.0.209, 22.0.0.211 and earlier, 18.0.0.366 and earlier
Does anyone know if Adobe Flash is still tracking blocklist in Firefox?
(In reply to rmcguigan from comment #1)
> Does anyone know if Adobe Flash is still tracking blocklist in Firefox?

If you're asking whether this blocklist request is still relevant, the answer is yes. It should be handled soon.
Assignee: nobody → awilliamson
Hello Andrew, based on the top crasher on Aurora50 since a week, it seems most of the crashes are coming from the latest version 23.0.0.162. See http://bit.ly/2d1rghh for crash info.

Is there a possibility we can block that version too?
Flags: needinfo?(awilliamson)
(In reply to Ritu Kothari (:ritu) from comment #4)
> Hello Andrew, based on the top crasher on Aurora50 since a week, it seems
> most of the crashes are coming from the latest version 23.0.0.162. See
> http://bit.ly/2d1rghh for crash info.
> 
> Is there a possibility we can block that version too?

can you file a separate bug for it?  (we can... though blocking a release version of Flash is a contentious issue)
Flags: needinfo?(awilliamson)
Everything looks like it's working correctly. However, the Flash Extended Support Release (18.0.0.366) is currently pointing to /blocked/p940/ [1] which is currently displaying "Flash Player Plugin 13.0.0.296 to 13.0.0.301 (click-to-play) has been blocked for your protection." Is the new p940 link replacing the current [1] one with the new range that will include the version that's being blocked in this bug?

[1] https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940

Windows 10 x64 VM: PASSED
=========================

File: NPSWF32_22_0_0_209.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_22_0_0_209.dll
Version: 22.0.0.209
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 22.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-00-40-04-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p941
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: NPSWF32_18_0_0_366.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_18_0_0_366.dll
Version: 18.0.0.366
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-03-04-29-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p940
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: NPSWF32_23_0_0_162.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_162.dll
Version: 23.0.0.162
State: Enabled
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/48.0.2/win32/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled

File: NPSWF32_18_0_0_375.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_18_0_0_375.dll
Version: 18.0.0.375
State: Enabled
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/49.0-candidates/build4/win32/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled

OSX 10.11.6 x64: PASSED
=======================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 22.0.0.209
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 22.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/48.0.2/mac/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p941
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.366
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-00-40-04-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p940
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.162
State: Enabled
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-03-04-29-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.375
State: Enabled
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-03-04-29-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled

Ubuntu 16.04.1 LTS VM x64: PASSED
=================================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.632
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-03-04-29-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p939
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.635
State: Enabled
Shockwave Flash 11.2 r202

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/09/2016-09-20-00-40-04-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled
Flags: needinfo?(kjozwiak) → needinfo?(awilliamson)
18.0.0.366 block is pointing to a url on production AMO? https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940 *not* something on the -dev blocklist?

(that they're both p940 is entirely coincidental - the production blocklist has more entries because of bulk certificate blocks that we don't manually test so the numbers when live are likely to be p1272-4)
Flags: needinfo?(awilliamson) → needinfo?(kjozwiak)
> 18.0.0.366 block is pointing to a url on production AMO?
> https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940 *not*
> something on the -dev blocklist?

I went through the blocks against 18.0.0.366 and ensured that the links were pointing to the blocklist-dev url [1]. Clicking on "Update Now" under about:addons will correctly open the url in a new tab and display "Flash Player Plugin 18.0.0.360 to 18.0.0.366 (click-to-play) has been blocked for your protection.".

[1] https://blocklist-dev.allizom.org/en-US/firefox/blocked/p940

Platforms checked:

* Win 10 x64 - PASSED
** build: fx52.0a1, buildId: 20160921030221, changeset: e2d2897e4a74

* OSX 10.11.6 x64 - PASSED
** build: fx51.0a2, buildId: 20160921004005, changeset: 9f757cfe0d33

> (that they're both p940 is entirely coincidental - the production blocklist
> has more entries because of bulk certificate blocks that we don't manually
> test so the numbers when live are likely to be p1272-4)

Sounds great! I wasn't too sure if this would cause conflicts once it was pushed into production. Apologies for the red flag.
Flags: needinfo?(kjozwiak)
You need to log in before you can comment on or make changes to this bug.