Closed
Bug 1313435
Opened 8 years ago
Closed 8 years ago
Block Flash 23.0.0.185 and earlier for active exploit vulnerabilities
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: benjamin, Unassigned)
Details
Yesterday Adobe released an emergency Flash update for exploits which are being actively exploited in the wild. https://helpx.adobe.com/flash-player/release-note/fp_23_air_23_release_notes.html is currently not fully updated: I believe that for windows/mac the broken version is 23.0.0.185 and the updated version is 23.0.0.205. For Linux we're looking for 11.2.202.643 (see http://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/). I've reached out to Adobe to confirm the details. Our policy is that when there is a known active exploit that we immediately block the exploitable version, which is what I believe we should plan on doing here. Jorge, are you still in charge of that? If so can we get this staged and tested today? It should be a vulnerable-updateable block. Please make sure that the info URL in the block points to https://get.adobe.com/flashplayer/ Is the AMO QA team responsible for testing new plugin blocks, or should that be coordinate through Michelle Funches who is the QA lead for plugins?
Flags: needinfo?(mfunches)
Flags: needinfo?(krupa.mozbugs)
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(jorge)
Reporter | ||
Comment 1•8 years ago
|
||
Adobe confirms we should be using the information at https://helpx.adobe.com/security/products/flash-player/apsb16-36.html We should proceed with immediate vulnerable-updateable blocklisting.
Comment 2•8 years ago
|
||
The blocks are now staged: Flash Player Plugin 22.0.0.211 to 23.0.0.185 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p947 Flash Player Plugin on Linux 11.2.202.632 to 11.2.202.637 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/p946 I don't see any info on that page regarding the ESR branch (18.x). Benjamin, can you confirm there's nothing to block there?
Flags: needinfo?(kjozwiak)
Flags: needinfo?(jorge)
Flags: needinfo?(benjamin)
Comment 3•8 years ago
|
||
macOS 10.12.1 x64: PASSED ========================= File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 23.0.0.185 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 23.0 r0 * build used: https://archive.mozilla.org/pub/firefox/releases/49.0.2/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p947 * esnured that "Always Active" is disabled * ensured flash is correctly being blocked File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 23.0.0.205 State: Enabled Shockwave Flash 23.0 r0 * build used: build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-27-00-40-20-mozilla-aurora/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0 * esnured that "Always Active" enabled Windows 10 x64: PASSED ====================== File: NPSWF32_23_0_0_185.dll Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_185.dll Version: 23.0.0.185 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 23.0 r0 * build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-27-00-40-20-mozilla-aurora/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p947 * esnured that "Always Active" is disabled * ensured flash is correctly being blocked File: NPSWF32_23_0_0_205.dll Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_205.dll Version: 23.0.0.205 State: Enabled Shockwave Flash 23.0 r0 * build used: build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-27-03-02-11-mozilla-central/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0 * esnured that "Always Active" enabled Ubuntu 16.04.1 LTS: PASSED ========================== File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.637 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 11.2 r202 * build used: https://archive.mozilla.org/pub/firefox/releases/49.0.2/linux-x86_64/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p946 * esnured that "Always Active" is disabled * ensured flash is correctly being blocked File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 11.2.202.643 State: Enabled Shockwave Flash 11.2 r202 * build used: https://archive.mozilla.org/pub/firefox/candidates/50.0b9-candidates/build1/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0 * esnured that "Always Active" enabled
Flags: needinfo?(mfunches)
Flags: needinfo?(kjozwiak)
Comment 4•8 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #2) > I don't see any info on that page regarding the ESR branch (18.x). Benjamin, > can you confirm there's nothing to block there? Please ni? me if we need to test the ESR branch (18.x). However, I don't see a build available under Adobe's Flash Archive Page [1]. [1] https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html
Reporter | ||
Comment 5•8 years ago
|
||
https://www.adobe.com/support/flashplayer/debug_downloads.html "The final release of the ESR occurred on October 11, 2016 and it is now discontinued." - There is no more Flash ESR release and so our testing is final. This is ready for prod.
Flags: needinfo?(benjamin)
Comment 6•8 years ago
|
||
Per comment #5, we need to block all versions in the 18.x branch. This new block is now staged: Flash Player Plugin 18.0.0.366 to 18.0.0.382 (click-to-play) https://addons-dev.allizom.org/en-US/firefox/blocked/ Note that this one is set to "update unavailable". This isn't blocking the push of the other two blocks, which will probably happen shortly.
Flags: needinfo?(kjozwiak)
Reporter | ||
Comment 7•8 years ago
|
||
> Note that this one is set to "update unavailable".
Why? We want to show the UI for people to update to Flash release; that is the supported upgrade path for users who were formerly using Flash ESR.
Comment 8•8 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #7) > Why? We want to show the UI for people to update to Flash release; that is > the supported upgrade path for users who were formerly using Flash ESR. Right, I didn't consider Adobe had already set up that upgrade path. I updated the staged block.
Comment 9•8 years ago
|
||
The two main blocks are live: Flash Player Plugin 22.0.0.211 to 23.0.0.185 (click-to-play) https://addons.mozilla.org/blocked/p1413 Flash Player Plugin on Linux 11.2.202.632 to 11.2.202.637 (click-to-play) https://addons.mozilla.org/blocked/p1412
Comment 10•8 years ago
|
||
Windows 10 x64: PASSED ====================== File: NPSWF32_18_0_0_382.dll Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_18_0_0_382.dll Version: 18.0.0.382 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 * build used: https://archive.mozilla.org/pub/firefox/releases/49.0.2/win32/en-US/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p948 * esnured that "Always Active" is disabled Windows 8.1 x64: PASSED ======================= File: NPSWF32_18_0_0_382.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_382.dll Version: 18.0.0.382 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 * build used: https://archive.mozilla.org/pub/firefox/nightly/2016/10/2016-10-28-03-02-04-mozilla-central/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p948 * esnured that "Always Active" is disabled macOS 10.12.1 x64: PASSED ========================= File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.382 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 18.0 r0 * build used: https://archive.mozilla.org/pub/firefox/candidates/50.0b9-candidates/build1/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * "Update Now" --> https://blocklist-dev.allizom.org/en-US/firefox/blocked/p948 * esnured that "Always Active" is disabled
Flags: needinfo?(kjozwiak)
Comment 11•8 years ago
|
||
Thanks, Kamil. Last block is up: https://addons.mozilla.org/en-US/firefox/blocked/p1415
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(krupa.mozbugs)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•