Closed Bug 524460 Opened 15 years ago Closed 15 years ago

adobe reader plugin updates

Categories

(Websites :: plugins.mozilla.org, defect)

Product:
Websites
Component:
plugins.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chofmann, Unassigned)

References

Details

Attachments

(2 files)

Screenshot under Ubuntu -- shows up as Adobe Reader 9.3
258.07 KB, image/png
Details
Post-fix screenshot on Linux -- WFM now
263.98 KB, image/png
Details 
      No description provided.
On Oct 13, 2009, at 9:03 PM, Chris Hofmann wrote:

>
> critical update for acrobat released this afternoon.
>
> http://www.adobe.com/support/security/bulletins/apsb09-15.html
>
> are we checking for 9.2?
>
> ...
> Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2.
>
> Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4.
>
> For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX.
> ---
Blocks: 524458
Component: Other → Plugins
Product: Websites → addons.mozilla.org
QA Contact: other → plugin-listings
OS: Mac OS X → All
Hardware: x86 → All
Component: Plugins → plugins.mozilla.org
Product: addons.mozilla.org → Websites
a new zero-day under investigation.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324

http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html

need to keep an eye out for updates in the next few days.
adobe has confirmed exploits running in the wild and indicated a patch will be available jan 12

http://www.adobe.com/support/security/advisories/apsa09-07.html
Blocks: 536974
adobe has also confirmed the new update on 1/12 will close off expoits in the wild and will help fix spike in crashes seen in a couple of top crash bugs.
https://bugzilla.mozilla.org/show_bug.cgi?id=536974#c9
fixes are live in a 9.3 release

http://www.adobe.com/support/security/bulletins/apsb10-02.html
Hey guys - is there a way we can hard-code this to force an adobe warning?
yeah, if we could show status of

  [research] 

that would be the first step.

if we could insert a note some how about a critical update is available that would also be good.
It would also be great to test Adobe Reader on a Windows machine and see what the plugincheck picks up or doesn't pick up.
(In reply to comment #6)
(In reply to comment #8)
Across platforms, or just non-Windows?
all platforms please!
Assignee: nobody → ozten.bugs
I installed the latest update from

http://get.adobe.com/es/reader/

to try and get 

Adobe Reader 9.3
Windows XP SP2 - SP3, Español

installed on a windows vm.

about:plugins now shows

    Archivo: nppdf32.dll
    Versión: 9.0.0.332
    Adobe PDF Plug-In For Firefox and Netscape


then checking http://www.mozilla.com/en-US/plugincheck/ I see:

Adobe Acrobat
Adobe PDF Plug-In For Firefox and Netscape 	Unable to Detect Plugin Version
  and the [research] button.

I think that is exactly the right thing we should be doing, until we get a better version number.   We should just confirm that older versions of the plugin work the same way.


I wonder if the [research] button should point at 
  http://get.adobe.com/reader/ 

instead of the current like that just does this google search  
 http://www.google.com/search?q=current%20version%20plugin%20Adobe%20Acrobat
Assignee: ozten.bugs → nobody
looks like http://get.adobe.com/reader/ does the right kind of redirection to http://get.adobe.com/es/reader/ if I have say a es-CL version of firefox installed.
from IRC #pfs
ozten: When do we know it's "safe" to take down this message
[12:58pm] ozten: only with Firefox 3.6 and later can we detect '9.3.0.148'
[12:58pm] ozten: otherwise it is unknown
[12:59pm] chofmann: "adobe recommend Adobe Reader 9.3"
[12:59pm] chofmann: link to http://get.adobe.com/reader/
Adding a static message when there is an unknown plugin named Adobe Acrobat" js/plugincheck.js
Sending        js/plugincheck.js
Transmitting file data .
Committed revision 59807.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
I guess I should have said:

  "Adobe recommends Adobe Reader 9.3"
(In reply to comment #15)
My bad. Updated on trunk in 5-10.
https://www-trunk.stage.mozilla.com/en-US/plugincheck/
Is the testcase:

1) Load plugincheck on trunk using Firefox 3.6 and any version of 9.3*, and verify that we can detect it, --and-
2) Verify that for any other version < 3.6 with and without 9.3*, we show the static message?

Thanks!
(In reply to comment #17)
Firefox 3.6 doesn't get any extra data. When we implement cross-browser support, then we'll be able to take advantage of navigator.plugin.version.
'Adobe Reader' is used on Linux instead of 'Adobe Acrobat'. Added this alternative.

js/plugincheck.js
Sending        js/plugincheck.js
Transmitting file data .
Committed revision 59980.
Verified FIXED:

I tested:

* Mac: Firefox 3.5/3.6 with old/up-to-date plugins, but was unable to see the Reader plugin, even in about:plugins (must copy itself to some system directory)
* Linux: Firefox 3.5/3.6 with old/up-to-date plugins, and got the message and link: Notice: Adobe recommend Acrobat Reader 9.3
* Windows: Firefox 3.5/3.6 with old/up-to-date plugins, and got the message and link: Notice: Adobe recommend Acrobat Reader 9.3

Don't know what--if anything--we can do about Mac.

Austin/others: please let me know if I need to do other verification steps, or if there are spinoff bugs to be filed; thanks!
Status: RESOLVED → VERIFIED
(In reply to comment #22)
Sounds good. Kubla willing... pushing now.
looks good.  thanks for working on this.

I'm not sure why the Product name links and the [research] button point at google searches for things like acrobat and

http://www.google.com/search?q=current%20version%20plugin%20Google%20Update

We we just need some research to dig out more direct links to download pages for some of these?

It look like silverlight, flash and maybe some other of the major plugins are doing the more direct linking to pages like

http://www.microsoft.com/silverlight/get-started/install/default.aspx

we should do that as much as we can.

Linking to the google search results introduces a bit of a security risk.  The attack looks like and attacker getting a high listing or paid search for something that looks like one of these popular plugins but is not.  The we help draw more downloads of the imposter plugin by linking to google search results rather than directly to the authorized source.
Adobe doesn't support Mac Firefox, which may be why you're having trouble finding the plug-in ;)

Also, we recommend http://get.adobe.com/reader for the website to get the latest Reader.

Is this URL something you hard-code in the mozilla codebase or something you get from the plug-in?
(In reply to comment #25)
We do have http://get.adobe.com/reader/ set as the update url in our system. These urls are displayed as the link for the call to action button.

When we can't determine a user's version number, we make the call to action "Research" and we don't use the update url, but a generic search url instead. Chris brought up some issues with this in comment #24, but that is the current implementation.
(Verified FIXED again on prod.)
there is a new update.

http://www.adobe.com/support/security/bulletins/apsb10-07.html

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1. 

I think we should just go with checking for that, but we could also account for these updates to 8.2.1

(For Adobe Reader users on Windows and Macintosh who cannot update to Adobe Reader 9.3.1, Adobe has provided the Adobe Reader 8.2.1 update.) 

Adobe recommends users of Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh update to Adobe Acrobat 9.3.1. Adobe recommends users of Acrobat 8.2 and earlier versions for Windows and Macintosh update to Acrobat 8.2.1.

Rudy, do you know if we will be able to detect versions with this update?
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
hm, when i go with the latest adobe reader plugin installed in firefox on WinXP to the plugin check i get:

Adobe Acrobat
Adobe PDF Plug-In For Firefox and Netscape 	Unable to Detect Plugin 

Notice: Adobe recommend Acrobat Reader 9.3

So seems we are still not able to detect the Version
I finally prevailed, the version-checking fix is coming soon (my hands are tied on mentioning actual dates).  Once that's in, I'll add more info to this bug.
Chofmann: it's really confusing when you reopen a verified fixed bug; in the future, can you please file a new one?
do we really need n update bugs times n plugins?  I was hoping that we could just recycle the bugs linked off the tracking bug 524458.  that seems like overkill but I'll start doing that if we want.  

I was hoping that this release would help us get rid of the "adobe recommends" work around talked about in this bug, but it sounds like there is nothing we can do again until the next reader update per comment 30.  If that is the case we can just close this since we have done all the warning that we can do given the version info available from the plugin.
dveditz had some ideas around softblocking that might help people to get updated until we get an update with better version info.
(In reply to comment #33)
> dveditz had some ideas around softblocking that might help people to get
> updated until we get an update with better version info.

Any updates on that?
Hi Rudi,

I see http://www.adobe.com/support/security/bulletins/apsb10-09.html today

did the version info make it into Adobe Reader 9.3.2.?
(In reply to comment #35)
> Hi Rudi,
> 
> I see http://www.adobe.com/support/security/bulletins/apsb10-09.html today
> 
> did the version info make it into Adobe Reader 9.3.2.?

seems so :) plugincheck finds the version :)

Adobe PDF Plug-In For Firefox and Netscape "9.3.2"   	9.3.2
Thanks for being patient, this took quite a bit of time and gentle pushing to get into and through the pipeline ;)

Version 9.3.2 of Reader now includes 9.3.2 in the name and this will be updated for each new version.
Version 8.2.2 of Reader now includes 8.2.2 in the name and will be updated for each new version.

We are working on getting the right pages for the URLs for the plugincheck page, but I have no details about that yet.
Since we reopened a fixed bug anyway (chofmann: it seems messier to me this way, but if everyone else is comfy with it, so be it), dumping this here, in case it's useful:

[{"aliases":{"literal":["Adobe Acrobat","Adobe Reader"]},"releases":{"latest":{"id":"8","pfs_id":"adobe-reader","name":"Adobe Reader","description":"Adobe PDF Plug-In For Firefox and Netscape","vendor":"Adobe","url":"http://get.adobe.com/reader/","modified":"2010-03-22T00:30:01+00:00","created":"2010-03-11T02:45:08+00:00","plugin_id":"2","os_id":"3","platform_id":"8","status":"latest","version":"9.1.0.163","detected_version":"9.1.0.163","detection_type":"original","os_name":"win","app_id":"*","app_release":"*","app_version":"*","locale":"*","fetched":"2010-04-23T00:12:25-07:00","relevance":3},"others":[]}}]

Using Firefox 3.6.3 with Adobe Reader version 9.3.0.148, on prod/authstage, I see "Unable to detect plugin version" and "? Research".
Those are the correct versions for 9.3.2 (...163) and 9.3.1 (...148).

We are working on getting a specific page, more detailed than the get-reader page.

I'll let you know when we have that done.
(In reply to comment #37)
@Rudi This is excellent news! Congrats pushing this through.

I've updated the db 'latest' to 9.3.2 for all OS all detection methods.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
The plugins for 9.3.2 and 8.2.2 now have the version in plugin description; you
can assume that any plug-in without a version number is out-of-date.

The URL to go to for non-current versions is:

http://www.adobe.com/go/acrobat_reader_updates
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: