Closed Bug 527023 Opened 15 years ago Closed 12 years ago

Add 'may be vulnerable' status

Categories

(Websites :: plugins.mozilla.org, defect)

Product:
Websites
Component:
plugins.mozilla.org
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: chofmann, Assigned: lorchard)

References

Details

(Whiteboard: [data])

http://www.mxlogic.com/securitynews/web-security/adobe-issues-critical-security-update-for-shockwave-player000.cfm Adobe Systems yesterday released a critical update for all versions of Shockwave Player and recommends that users upgrade to version 11.5.2.602 to protect against cyber attacks exploiting the vulnerability. Adobe rated the update critical, its highest priority bulletin, which means the security vulnerability allows remote code execution on a victim PC without user knowledge. A hacker could exploit this vulnerability with malicious code on a website.
<auscompgeek> on the support channel reports he currently gets Shockwave for Director Adobe Shockwave for Director Netscape plug-in, version 11.5 11.5 Up to Date do we need to add extra precision for 11.5.2.602 ?
For Fx 3.5.5 we can only detect 11.5. This happends for 11.5.2.602 or older 11.5 builds. Adobe needs to add their full build number to the plugin description. Current: "Adobe Shockwave for Director Netscape plug-in, version 11.5" Expected: "Adobe Shockwave for Director Netscape plug-in, version 11.5.2.602"
Minefield's navigator.plugin.version is reporting 11.5.2.602. PluginCheck doesn't currently support this feature.
I wonder if we need to add a "Might be vulnerable" status for imprecise version matches where we know there's a vulnerability lurking? Because we need to add extra precision to detect this one, but for other than Firefox 3.6+ we can't.
Component: Plugins → plugins.mozilla.org
Product: addons.mozilla.org → Websites
Need to repro and add 'may be vulnerable' status.
Whiteboard: [data]
Assignee: nobody → lorchard
Target Milestone: --- → 1.1
Is this bug for the plugin check page on mozilla.com, or for the directory itself? I'm not as familiar with hacking the mozilla.com page As far as I can tell, the directory supports "maybe vulnerable" but I can't reproduce things for the plugin in question here.
(In reply to comment #6) > Is this bug for the plugin check page on mozilla.com, or for the directory > itself? I'm not as familiar with hacking the mozilla.com page > > As far as I can tell, the directory supports "maybe vulnerable" but I can't > reproduce things for the plugin in question here. I don't see a 'May be vulnerable' option in the dropdown menu for releases. Is it handled elsewhere? I'm thinking this might be best handled by perfidies if a plugin's full version string (compared to pfs2's version string) is not available.
Summary: Plugin update page changes for Shockwave Player → Add 'may be vulnerable' status
Currently, "maybe vulnerable" is not a selectable status. It's reported by the API if there are two or more releases that come up in a search that have different statuses, but the same detected version. That is, if we had vendor-intended versions of Shockwave 10.5.6 (vulnerable) and 10.5.7 (latest), but all we could detect for Firefox 3.5 was 10.5 - that would come up as maybe_vulnerable
Target Milestone: 1.1 → 1.2
Target Milestone: 1.2 → 1.3
i have a similar problem, plugin-check reports this as outdated: Shockwave Flash 10.1 r102 Outdated Version even it is the most recent. the exact version is 10.1.102.64 but the 4th number (.64) in the end can safely be ignored because in the last updates there was always an increase in the 3rd number (.102). same with adobe reader, i have 9.4. installed which is the most recent version and it's reported as outdated. plugin check is crying wolf far to often and unnecessary.
so i think this is fixed with the vulnerable status. So closing this bug, but let me know if there are issues you want to have addressed.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.