1323300 - Plugin block request: Adobe Flash Player 23.0.0.207 and earlier

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[guigs [:guigs] PST (please needinfo me!)]

Plugin name: Flash Player.plugin
Plugin versions to block: 23.0.0.207 and earlier
Applications, versions, and platforms affected: Mac and Windows (Linux is a p3)
Block severity: (hard)

How does this plugin appear in about:plugins?
    File: /Library/Internet Plug-Ins/Flash Player.plugin
    Version: 23.0.0.207
    Description: Shockwave Flash 24.0 r0

Homepage and other references and contact info: https://helpx.adobe.com/security/products/flash-player/apsb16-39.html#table

Reasons:P1 in Adobe release

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

Blocks staged:

Flash Player Plugin on Linux 11.2.202.643 to 23.0.0.207 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p952

Flash Player Plugin 23.0.0.205 to 23.0.0.207 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p951

It's nice that they aligned the version numbers. However, we'll have to still add two different blocks because the Linux one needs the OS attribute in order to not apply on Android.

Comment 2

[Kamil Jozwiak [:kjozwiak]]

Jorge, I'm getting certificate errors whenever I attempt to ping the staged server. Did the process change or is this a legitimate problem with the staging server? It seems like the certificate that's being used on the staging server has expired on 12/06/2016 07:00 AM...

Errors under the browser console:
==================================

Ubuntu 16.04 x64:

Blocklist::notify: Requesting https://blocklist-dev.allizom.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/53.0a1/Firefox/20161215061212/Linux_x86_64-gcc3/en-US/nightly/Linux%204.4.0-45-generic%20(GTK%203.18.9%2Clibpulse%208.0.0)/default/default/invalid/invalid/0/
blocklist-dev.allizom.org:443 uses an invalid security certificate.

The certificate expired on 12/06/2016 07:00 AM. The current time is 12/15/2016 02:40 PM.

Error code: <a id="errorCode" title="SEC_ERROR_EXPIRED_CERTIFICATE">SEC_ERROR_EXPIRED_CERTIFICATE</a>
Blocklist:onError: There was an error loading the blocklist file nsIXMLHttpRequest channel unavailable

Windows 10 x64:

Blocklist::notify: Requesting https://blocklist-dev.allizom.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/53.0a1/Firefox/20161215061212/WINNT_x86-msvc/en-US/nightly/Windows_NT%2010.0/default/default/1/1/new/
blocklist-dev.allizom.org:443 uses an invalid security certificate.

The certificate expired on Tuesday, December 6, 2016 7:00 AM. The current time is Thursday, December 15, 2016 2:46 PM.

Error code: <a id="errorCode" title="SEC_ERROR_EXPIRED_CERTIFICATE">SEC_ERROR_EXPIRED_CERTIFICATE</a>
Blocklist:onError: There was an error loading the blocklist file nsIXMLHttpRequest channel unavailable

Comment 3

[Jorge Villalobos [:jorgev] (he/him)]

Stuart, do you know what that's about?

Comment 4

[scolville@mozilla.com]

(In reply to Jorge Villalobos [:jorgev] from comment #3)
> Stuart, do you know what that's about?

That's going to be an ops question. I think there was a problem with cert expiry last week, since we had a problem that impacted the mobile pages statics. It sounds similar.

Comment 5

[Jason Thomas [:jason]]

Fixed on -dev and stage.

Comment 6

[Jorge Villalobos [:jorgev] (he/him)]

Kamil, please try again.

Comment 7

[Kamil Jozwiak [:kjozwiak]]

(In reply to Jorge Villalobos [:jorgev] from comment #6)
> Kamil, please try again.

Looks good!

Windows 10 x64 VM: PASSED
=========================

File: NPSWF32_23_0_0_207.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_207.dll
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/12/2016-12-16-03-02-07-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p951
* ensured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: NPSWF32_24_0_0_186.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_186.dll
Version: 24.0.0.186
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/50.1.0/win32/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" enabled

OSX 10.12.2 x64: PASSED
=======================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/51.0b8-candidates/build1/mac/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p941
* ensured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.186
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2016/12/2016-12-16-10-17-50-mozilla-aurora/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" enabled

Ubuntu 16.04.1 LTS VM x64: PASSED
=================================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.644
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

* build used: https://archive.mozilla.org/pub/firefox/releases/50.1.0/linux-x86_64/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed too firefox/blocked/p952
* ensured that "Always Active" is disabled
* ensured flash is correctly being blocked

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 24.0.0.186
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/51.0b8-candidates/build1/linux-x86_64/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" enabled

Comment 8

[Jorge Villalobos [:jorgev] (he/him)]

The blocks are now live:

Flash Player Plugin 23.0.0.205 to 23.0.0.207 (click-to-play)
https://addons.mozilla.org/firefox/blocked/p1422

Flash Player Plugin on Linux 11.2.202.643 to 23.0.0.207 (click-to-play) 
https://addons.mozilla.org/firefox/blocked/p1421

Comment 9

[Kamil Jozwiak [:kjozwiak]]

Due to the issue that was reported in comment#2 and fixed in comment#5, I quickly checked and made sure that the staged server is serving the blocks without any issues/cert errors.

Windows 10 x64: PASSED
======================

File: NPSWF32_23_0_0_207.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_207.dll
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* pinging server --> https://blocklist.addons.mozilla.org/
* build: https://archive.mozilla.org/pub/firefox/nightly/2016/12/2016-12-20-03-02-15-mozilla-central/

macOS 10.12.2 x64: PASSED
=========================

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 23.0.0.207
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 23.0 r0

* pinging server --> https://blocklist.addons.mozilla.org/
* build: https://archive.mozilla.org/pub/firefox/releases/50.0.2/mac/en-US/

Ubuntu 16.04.1 LTS: PASSED
==========================

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 11.2.202.644
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 11.2 r202

* pinging server --> https://blocklist.addons.mozilla.org/
* build: https://archive.mozilla.org/pub/firefox/candidates/51.0b9-candidates/build1/linux-x86_64/en-US/