Closed Bug 1347215 Opened 5 years ago Closed 5 years ago

Plugin block request: Adobe Flash player version 24.0.0.221 and earlier

Categories

(Toolkit :: Blocklist Policy Requests, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED

People

(Reporter: jorgev, Assigned: jorgev)

References

()

Details

Block vulnerable versions of the Adobe Flash Player plugin, in response to their monthly security release:

https://helpx.adobe.com/security/products/flash-player/apsb17-07.html
The blocks are now staged. Kamil, please review.
Flags: needinfo?(kjozwiak)
Duplicate of this bug: 1347192
Duplicate of this bug: 1347252
======================
Win 10 Pro x64: PASSED
======================

Clean installation of 24.0.0.221:
---------------------------------

File: NPSWF32_24_0_0_221.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll
Version: 24.0.0.221
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-14-03-02-15-mozilla-central/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/2b608fae-1750-4a06-a142-0bc9ba17a7d0.html 
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as vulnerable

Updating 24.0.0.221 to 25.0.0.127:
----------------------------------

File: NPSWF32_25_0_0_127.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_25_0_0_127.dll
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/52.0/win32/en-US/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appear blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version

Clean installation of 25.0.0.127:
---------------------------------

File: NPSWF32_25_0_0_127.dll
Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_25_0_0_127.dll
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/53.0b2-candidates/build1/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appear blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version

==========================
macOS 10.12.3 x64 - PASSED
==========================

Clean installation of 24.0.0.221:
---------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 24.0.0.221
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-14-00-40-20-mozilla-aurora/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/2b608fae-1750-4a06-a142-0bc9ba17a7d0.html
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as vulnerable

Updating 24.0.0.221 to 25.0.0.127:
----------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/52.0/mac/en-US/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appear blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version

Clean installation of 25.0.0.127:
---------------------------------

File: Flash Player.plugin
Path: /Library/Internet Plug-Ins/Flash Player.plugin
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/53.0b2-candidates/build1/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appear blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version

===============================
Ubuntu 16.04.2 LTS x64 - PASSED
===============================

Clean installation of 24.0.0.221:
---------------------------------

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 24.0.0.221
State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
Shockwave Flash 24.0 r0

* build used: https://archive.mozilla.org/pub/firefox/candidates/53.0b2-candidates/build1/linux-x86_64/en-US/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* browser console log: Blocklist state for Shockwave Flash changed from 0 to 4
* ensured that "Update Now" pointed to the following location:
** https://blocked.cdn.mozilla.net/26c2a4e2-9aff-4ab1-b654-20e478b375f0.html
* ensured that "Always Active" is being disabled
* ensured flash is correctly being blocked when visiting several websites
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as vulnerable

Updating 24.0.0.221 to 25.0.0.127:
----------------------------------

File: libflashplayer.so
Path: /usr/lib/mozilla/plugins/libflashplayer.so
Version: 25.0.0.127
State: Enabled
Shockwave Flash 25.0 r0

* build used: https://archive.mozilla.org/pub/firefox/releases/52.0/linux-x86_64/en-US/
* extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/
* ensured that "Always Active" can be enabled
* ensured that the flash plugin doesn't appear blocked under about:addons
* ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version
Flags: needinfo?(kjozwiak)
The blocks have just been pushed to prod.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Can someone shed some light on this issue?

Firefox is harrassing me about the exploitable Flash plugin:

Shockwave Flash

    File: libflashplayer.so
    Path: /usr/lib64/flash-plugin/libflashplayer.so
    Version: 24.0.0.221
    State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
    Shockwave Flash 24.0 r0

However:

[root@lightwave plugins]# rpm -qf /usr/lib64/flash-plugin/libflashplayer.so
flash-plugin-25.0.0.127-release.x86_64

[root@lightwave plugins]# strings /usr/lib64/flash-plugin/libflashplayer.so|grep Shockwave
Shockwave Flash
Shockwave Flash 25.0 r0
application/x-shockwave-flash:swf:Shockwave Flash;application/futuresplash:spl:FutureSplash Player
[root@lightwave plugins]# 

Fedora 25, Firefox 52.0.2 (64-bit).

There are no multiple versions of Flash plugin installed, only one and it's latest from Adobe repo.
What do you see in about:plugins in Firefox? Specifically in the Version string.
It was showing 24.0.0.221.

Apparently Firefox wasn't refreshing/rereading the real upgraded version of the plugin for quite a long time. I ended up rm-ing /usr/lib64/flash-plugin/libflashplayer.so manually, starting Firefox without it, shutting FF down, reinstalling the same package with dnf (yum) and starting FF again.

All good now - about:plugins:

Shockwave Flash

    File: libflashplayer.so
    Path: /usr/lib64/flash-plugin/libflashplayer.so
    Version: 25.0.0.127
    State: Enabled
    Shockwave Flash 25.0 r0
You need to log in before you can comment on or make changes to this bug.