Block Flash 23.0.0.185 and earlier for active exploit vulnerabilities

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Benjamin Smedberg, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
Yesterday Adobe released an emergency Flash update for exploits which are being actively exploited in the wild.

https://helpx.adobe.com/flash-player/release-note/fp_23_air_23_release_notes.html is currently not fully updated: I believe that for windows/mac the broken version is 23.0.0.185 and the updated version is 23.0.0.205. For Linux we're looking for 11.2.202.643 (see http://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/). I've reached out to Adobe to confirm the details.

Our policy is that when there is a known active exploit that we immediately block the exploitable version, which is what I believe we should plan on doing here. Jorge, are you still in charge of that? If so can we get this staged and tested today?

It should be a vulnerable-updateable block.

Please make sure that the info URL in the block points to https://get.adobe.com/flashplayer/

Is the AMO QA team responsible for testing new plugin blocks, or should that be coordinate through Michelle Funches who is the QA lead for plugins?
Flags: needinfo?(mfunches)
Flags: needinfo?(krupa.mozbugs)
(Reporter)

Updated

2 years ago
Flags: needinfo?(jorge)
(Reporter)

Comment 1

2 years ago
Adobe confirms we should be using the information at https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

We should proceed with immediate vulnerable-updateable blocklisting.
The blocks are now staged:

Flash Player Plugin 22.0.0.211 to 23.0.0.185 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p947

Flash Player Plugin on Linux 11.2.202.632 to 11.2.202.637 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p946

I don't see any info on that page regarding the ESR branch (18.x). Benjamin, can you confirm there's nothing to block there?
Flags: needinfo?(kjozwiak)
Flags: needinfo?(jorge)
Flags: needinfo?(benjamin)
macOS 10.12.1 x64: PASSED
=========================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.185
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/49.0.2/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p947
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.205
State: Enabled
Shockwave Flash 23.0 r0

* build used: build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-27-00-40-20-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled

Windows 10 x64: PASSED
======================

File: NPSWF32_23_0_0_185.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_185.dll
Version: 23.0.0.185
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-27-00-40-20-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p947
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: NPSWF32_23_0_0_205.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_205.dll
Version: 23.0.0.205
State: Enabled
Shockwave Flash 23.0 r0

* build used: build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-27-03-02-11-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled

Ubuntu 16.04.1 LTS: PASSED
==========================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.637
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

* build used: https://archive.mozilla.org/pub/firefox/releases/49.0.2/linux-x86_64/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p946
* esnured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.643
State: Enabled
Shockwave Flash 11.2 r202

* build used: https://archive.mozilla.org/pub/firefox/candidates/50.0b9-candidates/build1/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* esnured that "Always Active" enabled
Flags: needinfo?(mfunches)
Flags: needinfo?(kjozwiak)
(In reply to Jorge Villalobos [:jorgev] from comment #2)
> I don't see any info on that page regarding the ESR branch (18.x). Benjamin,
> can you confirm there's nothing to block there?

Please ni? me if we need to test the ESR branch (18.x). However, I don't see a build available under Adobe's Flash Archive Page [1].

[1] https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
(Reporter)

Comment 5

2 years ago
https://www.adobe.com/support/flashplayer/debug_downloads.html

"The final release of the ESR occurred on October 11, 2016 and it is now discontinued." - There is no more Flash ESR release and so our testing is final. This is ready for prod.
Flags: needinfo?(benjamin)
Per comment #5, we need to block all versions in the 18.x branch. This new block is now staged:

Flash Player Plugin 18.0.0.366 to 18.0.0.382 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/

Note that this one is set to "update unavailable".

This isn't blocking the push of the other two blocks, which will probably happen shortly.
Flags: needinfo?(kjozwiak)
(Reporter)

Comment 7

2 years ago
> Note that this one is set to "update unavailable".

Why? We want to show the UI for people to update to Flash release; that is the supported upgrade path for users who were formerly using Flash ESR.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #7)
> Why? We want to show the UI for people to update to Flash release; that is
> the supported upgrade path for users who were formerly using Flash ESR.

Right, I didn't consider Adobe had already set up that upgrade path. I updated the staged block.
The two main blocks are live:

Flash Player Plugin 22.0.0.211 to 23.0.0.185 (click-to-play)
https://addons.mozilla.org/blocked/p1413

Flash Player Plugin on Linux 11.2.202.632 to 11.2.202.637 (click-to-play) 
https://addons.mozilla.org/blocked/p1412
Windows 10 x64: PASSED
======================

File: NPSWF32_18_0_0_382.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_18_0_0_382.dll
Version: 18.0.0.382
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/49.0.2/win32/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p948
* esnured that "Always Active" is disabled

Windows 8.1 x64: PASSED
=======================

File: NPSWF32_18_0_0_382.dll
Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_382.dll
Version: 18.0.0.382
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-28-03-02-04-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p948
* esnured that "Always Active" is disabled

macOS 10.12.1 x64: PASSED
=========================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 18.0.0.382
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 18.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/50.0b9-candidates/build1/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p948
* esnured that "Always Active" is disabled
Flags: needinfo?(kjozwiak)
Thanks, Kamil.

Last block is up: https://addons.mozilla.org/en-US/firefox/blocked/p1415
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(krupa.mozbugs)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.