Closed Bug 1339975 Opened 7 years ago Closed 7 years ago

Plugin block request: Adobe Flash player version 24.0.0.194 and earlier

Categories

(Toolkit :: Blocklist Policy Requests, defect, P1)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jorgev, Assigned: jorgev)

References

(
URL
)

Details

Just the usual monthly Flash plugin update. It was done a week later than usual due to Microsoft also delaying Patch Tuesday.
Should we close bug#1339533? I just found the bug when I noticed there's a newer version of flash out while going through bug#1339500.
Scratch the above. I think bug#1339533 is specific to updating the plugin database.
The blocks are staged. Kamil, please give them a look. The plan is to deploy them on Monday, Feb 20th.
Flags: needinfo?(kjozwiak)
Is this staged on blocklist-dev.allizom.org? I keep trying to ping the staging server while I have fp24.0.0.194 installed but I keep getting the following:

* Blocklist state for Shockwave Flash changed from 0 to 0
** indicates that the item does not appear in the blocklist.

If I'm not mistaken, I should be getting the following:

* Blocklist state for Shockwave Flash changed from 0 to 3
** considered outdated, and there is a known update available.
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Kamil, please give it another try. It should be working now.
Flags: needinfo?(kjozwiak)
(In reply to Jorge Villalobos [:jorgev] from comment #6)
> Kamil, please give it another try. It should be working now.

I'm still getting the same results as in comment#4 even though I've pointed "extensions.blocklist.url" to the link mentioned in comment#5 using both m-c and m-r. Once "extensions.blocklist.url" has been changed, I use the following snippet to force the blocklist ping:

Components.classes["@mozilla.org/extensions/blocklist;1"].getService(Components.interfaces.nsITimerCallback).notify(null);

I looked under the URL [1] that I received in the browser console when I forced the blocklist ping, but I didn't see 24.0.0.194 listed anywhere in the XML file. Perhaps we're using the wrong link, or maybe I'm just doing something wrong?. Is there a different method that I should be used to ping the blocklist now that we're using kinto?

[1] https://firefox.settings.services.mozilla.com/v1/preview/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/51.0.1/Firefox/20170125094131/Darwin_x86_64-gcc3-u-i386-x86_64/en-US/release/
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
It looks like I forgot to move the staged blocks to preview (I thought I did?). Please try again.
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
It looks like m-c is the only channel that's currently using the new kinto server for blocklisting [1]. Right now, pinging blocklist-dev.allizom.org will result in the following (comment#4):

* Blocklist state for Shockwave Flash changed from 0 to 0

Should we be adding the "24.0.0.194" block under the blocklist-dev.allizom.org staging server so the block can be tested on the other channels that currently not using kinto?

[1] Results:

* fx51.0.1, buildid: 20170125094131 -> extensions.blocklist.url using https://blocklist.addons.mozilla.org/
* fx52.0b8, buildid: 20170220070057 -> extensions.blocklist.url using https://blocklist.addons.mozilla.org/
* fx53.0a2, buildid: 20170223004018 -> extensions.blocklist.url using https://blocklist.addons.mozilla.org/
* fx54.0a1, buildid: 20170223030204 -> extensions.blocklist.url using https://firefox.settings.services.mozilla.com/
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
After some IRC conversation, it looks like the staged changes on Kinto aren't propagated to the AMO XML on stage. This limits testing because the kinto settings are only the defaults on Nightly at the moment and we should test these blocks on release. For now, I think we can live with this, but I'd like us to be able to test this better in the future.
Flags: needinfo?(jorge)
So, Firefox isn't going to block vulnerable plugins anymore?
(In reply to blud from comment #12)
> So, Firefox isn't going to block vulnerable plugins anymore?

We're still going to be blocking vulnerable plugins. The above conversation is about the staging server which houses the blocks for testing/QA purposes before it lands into the production servers.
> This limits testing because the kinto settings are only the defaults on Nightly at the moment and we should test these blocks on release.

This is not accurate, all Firefox version previous and future are using the same XML file served by Kinto.

If you want to try the changes you change the proper blocklist collection in the kinto-admin and then you ask for a review.

firefox.settings is behind a CDN so it can take a while before seeing an update. If you want a result not cached you can access it from there:

https://settings.prod.mozaws.net/v1/preview/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/51.0.1/Firefox/20170125094131/Darwin_x86_64-gcc3-u-i386-x86_64/en-US/release/

And I can see "24.0.0.194" in that file.

You can also access your changes directy by looking at the JSON collections:

- https://settings.prod.mozaws.net/v1/buckets/blocklists-preview/collections/addons/records
- https://settings.prod.mozaws.net/v1/buckets/blocklists-preview/collections/plugins/records

> The above conversation is about the staging server which houses the blocks for testing/QA purposes before it lands into the production servers.

The current flow is not to test with the staging environment anymore.

Now you file your change in production and use the review workflow there with the preview bucket to try your change before approving them.
The block has just been pushed to prod.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
I double checked and ensured that the blocklist is working correctly under Win/macOS. However, Linux is still broken due to bug#1331489.

======================
Win 10 Pro x64: PASSED
======================

Clean installation of 24.0.0.194:
---------------------------------

File: NPSWF32_24_0_0_194.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll
Version: 24.0.0.194
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-03-02-03-mozilla-central/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/f77960ca-28f3-4664-994d-2b713d2a1434.html
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as vulnerable

Upgrading 24.0.0.194 to 24.0.0.221:
-----------------------------------

File: NPSWF32_24_0_0_221.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-03-02-03-mozilla-central/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version

Clean installation of 24.0.0.221:
---------------------------------

File: NPSWF32_24_0_0_221.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-00-40-04-mozilla-aurora/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version

=========================
macOS 10.12.2 x64: PASSED
=========================

Clean installation of 24.0.0.194:
---------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.194
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/51.0.1/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/f77960ca-28f3-4664-994d-2b713d2a1434.html
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.194 as vulnerable

Upgrading 24.0.0.194 to 24.0.0.221:
-----------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/51.0.1/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version

Clean installation of 24.0.0.221:
---------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/02/2017-02-27-03-02-03-mozilla-central/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appeare blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as the latest version
I don't understand. Flash 24.0.0.221 now reports a version field (and that shows up in about:plugins), so it should be possible to block any Flash without a version field and use the new one properly.

Linux (x86-64):

Shockwave Flash

    File: libflashplayer.so
    Path: /usr/lib64/flash-plugin/libflashplayer.so
    Version: 24.0.0.221
    State: Enabled
    Shockwave Flash 24.0 r0

MIME Type	Description	Suffixes
application/x-shockwave-flash	Shockwave Flash	swf
application/futuresplash	FutureSplash Player	spl
Blocking by "no version field" could possibly block future versions if this problem reappears, either by Adobe's fault or our own. We've also never blocked filtering by missing fields, which could lend itself to unexpected bugs.

Assuming users stay mostly up to date, the next block coming up in a couple of weeks should bring them back on track because they'll be using blockable versions. Does that sound reasonable?
Adobe must have fixed the issue with 24.0.0.221. It looks like the version is appearing correctly under about:plugins:

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 24.0.0.221
State: Enabled
Shockwave Flash 24.0 r0

However with 24.0.0.186 and 24.0.0.194, the version numbers are still missing under about:plugins.
You need to log in before you can comment on or make changes to this bug.