Closed Bug 1547789 Opened 5 years ago Closed 5 years ago

Extension Block Request: Multiple ad blockers

Categories

(Toolkit :: Blocklist Policy Requests, task)

task
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: contact, Assigned: Fallen)

Details

Extension name Multiple ad blockers
Extension versions affected <all versions>
Platforms affected <all platforms>
Block severity soft

Reason

There was a vulnerability in Adblock Plus and uBlock that recently got fixed (CVE-2019-11593 and CVE-2019-11595), see this post for details: hxxps://armin.dev/blog/2019/04/adblock-plus-code-injection/

Please consider blocklisting certain Adblock Plus and uBlock versions.

These are the vulnerable version ranges:
Adblock Plus >=3.2,<3.5.2
uBlock >=0.9.5.11,<0.9.5.15

For Adblock Plus 3.5.1 and uBlock 0.9.5.14 it may be better to wait a bit before blacklisting since the mitigation was released only about a week ago, but the rest of the versions had plenty of time to update and they still have a substantial amount of users.

Here's a list of Adblock Plus versions with user counts as of 2019.04.28, and the dates at which they became outdated due to a new release on AMO.

3.5.1 316686 2019.04.20
3.5 83560 2019.04.04
3.4.3 65091 2019.03.13
3.4.2 31664 2019.01.23
3.4.1 8944 2018.12.03
3.4 6030 2018.11.14
3.3.1 20020 2018.10.31
3.2 8964 2018.08.28

https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/versions/
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/statistics/usage/versions/?last=30

There are about 220k users running Adblock Plus versions that became outdated about a month ago or more, and 75k users of versions that became outdated more than 3 months ago.

Filter lists receive the extension version as part of the periodic filter list update request, so it's easy for a malicious filter list maintainer to deliver payloads only to vulnerable devices, and the vulnerability was widely reported.

Extension IDs

{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}

Thank you for the report.

Philipp and I agreed to start blocking old versions next week.

Assignee: nobody → awagner
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Assignee: awagner → philipp

The vulnerable versions don't appear to be blocked.

I'm blocking the following versions:

{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, versions 3.2 - 3.5.1)
{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42} (µBlock, versions 0.9.5.11 - 0.9.5.14)
jid1-NIfFY2CA8fy1tg@jetpack (Adblock for Firefox, versions 3.19.0 - 3.28.0)

The block has been staged. Stuart, can you review and push? Please take a careful look at the version ranges here.

Flags: needinfo?(scolville)

Approved and pushed

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(scolville)
Resolution: --- → FIXED
Group: blocklist-requests
You need to log in before you can comment on or make changes to this bug.