Closed Bug 1330086 Opened 7 years ago Closed 7 years ago

Plugin block request: Adobe Flash player version 24.0.0.186 and earlier

Categories

(Toolkit :: Blocklist Policy Requests, defect, P1)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: kjozwiak, Assigned: jorgev)

References

(
URL
)

Details

Plugin name: Flash Player.plugin
Plugin versions to block: 24.0.0.186 and earlier
Applications, versions, and platforms affected: Mac, Windows, Linux

How does this plugin appear in about:plugins?

    File: Flash Player.plugin
    Path: /Library/Internet Plug-Ins/Flash Player.plugin
    Version: 24.0.0.186
    State: Enabled
    Shockwave Flash 24.0 r0

Homepage and other references and contact info: https://helpx.adobe.com/security/products/flash-player/apsb17-02.html
Assignee: awilliamson → jorge
Blocks are now staged:

Flash Player Plugin 23.0.0.207 to 24.0.0.186 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p955

Flash Player Plugin on Linux 23.0.0.207 to 24.0.0.186 (click-to-play)
https://addons-dev.allizom.org/en-US/firefox/blocked/p956
Flags: needinfo?(kjozwiak)
=========================
Windows 10 x64 VM: PASSED
=========================

File: NPSWF32_24_0_0_186.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_186.dll
Version: 24.0.0.186
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/50.0.2/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to /blocked/p955
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.186 as vulnerable

Upgrading 24.0.0.186 to 24.0.0.194:
-----------------------------------

File: NPSWF32_24_0_0_194.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll
Version: 24.0.0.194
State: Enabled
Shockwave Flash 24.0 r0

* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as the latest version

Clean installation of 24.0.0.194:
---------------------------------

File: NPSWF32_24_0_0_194.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll
Version: 24.0.0.194
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/01/2017-01-16-03-03-26-mozilla-central/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as the latest version

=========================
macOS 10.12.2 x64: PASSED
=========================

Clean installation of 24.0.0.186:
---------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.186
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/51.0b14-candidates/build1/mac/en-US/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to /blocked/p955
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.186 as vulnerable

Upgrading 24.0.0.186 to 24.0.0.194:
-----------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.194
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/51.0b14-candidates/build1/mac/en-US/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as the latest version

Clean installation of 24.0.0.194:
---------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.194
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/01/2017-01-16-00-40-21-mozilla-aurora/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as the latest version
Jorge, I'm having issues with the blocklist under Ubuntu. I've created bug#1331489 to keep the two issues separate as this is specific to the staging/release of the block.

Can you or someone else familiar with the blocklist take a look and see what's going on? It works fine under Win/macOS, but not under Ubuntu.
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Thanks, I commented on bug 1331489. I'll move forward with the blocks as they are, since there's a chance the Linux block will work on other distros. However, we definitely need to look into that bug and resolve it soon.
Flags: needinfo?(jorge)
Blocks are now live:

Flash Player Plugin on Linux 23.0.0.207 to 24.0.0.186 (click-to-play)
https://addons.mozilla.org/en-US/firefox/blocked/p1495

Flash Player Plugin 23.0.0.207 to 24.0.0.186 (click-to-play) 
https://addons.mozilla.org/en-US/firefox/blocked/p1494

Adding bug 1331489 as a dependency, since the Linux block is probably ineffective because of it.
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1331489
Resolution: --- → FIXED
Hi,

Currently blocking Flash Player plugin is safe but is breaking the browser on Windows 10.

How to reproduce the issue:
Click Tools \ Add-Ons \ Plugins \
->
See the shockwave flash plugin is outdated and has an Update Now link. 
->
Click Update Now
->
Click "Blocked Add-ons".Plugin check page
->
Click "Check Your Plugins".Update Now
->
Click "https://get.adobe.com/flashplayer/".Install now
->
Download the file (Version 24.0.0.194)
->
Run the file
->
Get message that you are using an old version of the installer and click finish to get the latest.
->
Click Finish, which deletes the downloaded file and opens Edge, saying that there is no need to download Flash which is included in Edge.
->
You're mad.

I would suggest to do something about this.

a+,=)
-=Finiderire=-

Configuration:
Waterfox 50.1 Portable
Windows 10
Hi, RESOLVED/FIXED,

This morning I managed to fix the issue, so here is the trick in case someone else goes into the issue:
...
->
Click "Check Your Plugins".Update Now
->
Click "https://get.adobe.com/flashplayer/".Need Flash Player For A Different Computer ?
->
Select "Windows 10/Windows 8" and "FP 24 for Firefox - NPAPI"
->
Uncheck Optional Offers, and click Download Now
->
Download the file (Version 24.0.0.194)
->
Run the file
->
This time no message that you are using an old version of the installer.

Conclusion: the installer that you obtain by manually requesting "Windows 10/Windows 8" + "FP 24 for Firefox - NPAPI" is not the same as the one you obtain when you let Adobe website choose for you even if it says "Your system: Windows 64-bit , English , Firefox". Note that both installers will have the same size and properties but different behavior. Another achievement from Adobe.

a+,=)
-=Finiderire=-

(In reply to finiderir3 from comment #7)
> Hi,
> 
> Currently blocking Flash Player plugin is safe but is breaking the browser
> on Windows 10.
> 
> How to reproduce the issue:
> Click Tools \ Add-Ons \ Plugins \
> ->
> See the shockwave flash plugin is outdated and has an Update Now link. 
> ->
> Click Update Now
> ->
> Click "Blocked Add-ons".Plugin check page
> ->
> Click "Check Your Plugins".Update Now
> ->
> Click "https://get.adobe.com/flashplayer/".Install now
> ->
> Download the file (Version 24.0.0.194)
> ->
> Run the file
> ->
> Get message that you are using an old version of the installer and click
> finish to get the latest.
> ->
> Click Finish, which deletes the downloaded file and opens Edge, saying that
> there is no need to download Flash which is included in Edge.
> ->
> You're mad.
> 
> I would suggest to do something about this.
> 
> a+,=)
> -=Finiderire=-
> 
> Configuration:
> Waterfox 50.1 Portable
> Windows 10
You need to log in before you can comment on or make changes to this bug.