Closed Bug 1347215 Opened 9 years ago Closed 8 years ago

Plugin block request: Adobe Flash player version 24.0.0.221 and earlier

Categories

(Toolkit :: Blocklist Policy Requests, enhancement, P1)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jorgev, Assigned: jorgev)

References

(
URL
)

Details

Block vulnerable versions of the Adobe Flash Player plugin, in response to their monthly security release: https://helpx.adobe.com/security/products/flash-player/apsb17-07.html
The blocks are now staged. Kamil, please review.
Flags: needinfo?(kjozwiak)
====================== Win 10 Pro x64: PASSED ====================== Clean installation of 24.0.0.221: --------------------------------- File: NPSWF32_24_0_0_221.dll Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_221.dll Version: 24.0.0.221 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 24.0 r0 * build used: https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-14-03-02-15-mozilla-central/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * ensured that "Update Now" pointed to the following location: ** https://blocked.cdn.mozilla.net/2b608fae-1750-4a06-a142-0bc9ba17a7d0.html * ensured that "Always Active" is being disabled * ensured flash is correctly being blocked when visiting several websites * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as vulnerable Updating 24.0.0.221 to 25.0.0.127: ---------------------------------- File: NPSWF32_25_0_0_127.dll Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_25_0_0_127.dll Version: 25.0.0.127 State: Enabled Shockwave Flash 25.0 r0 * build used: https://archive.mozilla.org/pub/firefox/releases/52.0/win32/en-US/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * ensured that "Always Active" can be enabled * ensured that the flash plugin doesn't appear blocked under about:addons * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version Clean installation of 25.0.0.127: --------------------------------- File: NPSWF32_25_0_0_127.dll Path: C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_25_0_0_127.dll Version: 25.0.0.127 State: Enabled Shockwave Flash 25.0 r0 * build used: https://archive.mozilla.org/pub/firefox/candidates/53.0b2-candidates/build1/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0 * ensured that "Always Active" can be enabled * ensured that the flash plugin doesn't appear blocked under about:addons * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version ========================== macOS 10.12.3 x64 - PASSED ========================== Clean installation of 24.0.0.221: --------------------------------- File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 24.0.0.221 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 24.0 r0 * build used: https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-14-00-40-20-mozilla-aurora/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * ensured that "Update Now" pointed to the following location: ** https://blocked.cdn.mozilla.net/2b608fae-1750-4a06-a142-0bc9ba17a7d0.html * ensured that "Always Active" is being disabled * ensured flash is correctly being blocked when visiting several websites * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as vulnerable Updating 24.0.0.221 to 25.0.0.127: ---------------------------------- File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 25.0.0.127 State: Enabled Shockwave Flash 25.0 r0 * build used: https://archive.mozilla.org/pub/firefox/releases/52.0/mac/en-US/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * ensured that "Always Active" can be enabled * ensured that the flash plugin doesn't appear blocked under about:addons * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version Clean installation of 25.0.0.127: --------------------------------- File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 25.0.0.127 State: Enabled Shockwave Flash 25.0 r0 * build used: https://archive.mozilla.org/pub/firefox/candidates/53.0b2-candidates/build1/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * * browser console log: Blocklist state for Shockwave Flash changed from 0 to 0 * ensured that "Always Active" can be enabled * ensured that the flash plugin doesn't appear blocked under about:addons * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version =============================== Ubuntu 16.04.2 LTS x64 - PASSED =============================== Clean installation of 24.0.0.221: --------------------------------- File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 24.0.0.221 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 24.0 r0 * build used: https://archive.mozilla.org/pub/firefox/candidates/53.0b2-candidates/build1/linux-x86_64/en-US/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * browser console log: Blocklist state for Shockwave Flash changed from 0 to 4 * ensured that "Update Now" pointed to the following location: ** https://blocked.cdn.mozilla.net/26c2a4e2-9aff-4ab1-b654-20e478b375f0.html * ensured that "Always Active" is being disabled * ensured flash is correctly being blocked when visiting several websites * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 24.0.0.221 as vulnerable Updating 24.0.0.221 to 25.0.0.127: ---------------------------------- File: libflashplayer.so Path: /usr/lib/mozilla/plugins/libflashplayer.so Version: 25.0.0.127 State: Enabled Shockwave Flash 25.0 r0 * build used: https://archive.mozilla.org/pub/firefox/releases/52.0/linux-x86_64/en-US/ * extensions.blocklist.url used: https://settings.prod.mozaws.net/v1/preview/3/ * ensured that "Always Active" can be enabled * ensured that the flash plugin doesn't appear blocked under about:addons * ensured that the "Version Information" under http://www.adobe.com/software/flash/about/ is listing 25.0.0.127 as the latest version
Flags: needinfo?(kjozwiak)
The blocks have just been pushed to prod.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Can someone shed some light on this issue? Firefox is harrassing me about the exploitable Flash plugin: Shockwave Flash File: libflashplayer.so Path: /usr/lib64/flash-plugin/libflashplayer.so Version: 24.0.0.221 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 24.0 r0 However: [root@lightwave plugins]# rpm -qf /usr/lib64/flash-plugin/libflashplayer.so flash-plugin-25.0.0.127-release.x86_64 [root@lightwave plugins]# strings /usr/lib64/flash-plugin/libflashplayer.so|grep Shockwave Shockwave Flash Shockwave Flash 25.0 r0 application/x-shockwave-flash:swf:Shockwave Flash;application/futuresplash:spl:FutureSplash Player [root@lightwave plugins]# Fedora 25, Firefox 52.0.2 (64-bit). There are no multiple versions of Flash plugin installed, only one and it's latest from Adobe repo.
What do you see in about:plugins in Firefox? Specifically in the Version string.
It was showing 24.0.0.221. Apparently Firefox wasn't refreshing/rereading the real upgraded version of the plugin for quite a long time. I ended up rm-ing /usr/lib64/flash-plugin/libflashplayer.so manually, starting Firefox without it, shutting FF down, reinstalling the same package with dnf (yum) and starting FF again. All good now - about:plugins: Shockwave Flash File: libflashplayer.so Path: /usr/lib64/flash-plugin/libflashplayer.so Version: 25.0.0.127 State: Enabled Shockwave Flash 25.0 r0
You need to log in before you can comment on or make changes to this bug.