Closed Bug 708201 Opened 14 years ago Closed 10 years ago

Adobe Reader version 9.4.6 fails to update the Firefox plugin which remains as 9.4.5.236

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: xircal, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1 Build ID: 20111120135848 Steps to reproduce: Downloaded Adobe Reader 9.4 from http://get.adobe.com/reader/otherversions/ and then updated via the Adobe Help menu to 9.4.6 (secure and supported version). Actual results: The Firefox plugin is only updated to 9.4.5.236 which causes a Plugin Check to report that the plugin is out of date and a potential security risk. The only option is to disable the plugin since it cannot be removed. However, if the user lands on a PDF site, Firefox displays a dialog inviting the user to choose whether to download the file to the local machine, or to open it with the disabled plugin. If the latter action is chosen, Firefox re-enables the plugin which in turn reintroduces the security risk. Since the user may not be aware that the plugin has been re-enabled, action needs to be taken to ensure that it has been disabled once the document has been closed. The problem appears to lie on the Adobe side since the plugin (nppdf32.dll) is dated 07-June-11 which seems to imply that Adobe is trying to force users to upgrade to Reader X by not updating older plugins which enable PDF files to be displayed in browsers. Expected results: The plugin should have been updated to 9.4.6 as well.
>Firefox displays a dialog inviting the user to choose whether to download the file >to the local machine, or to open it with the disabled plugin. You get a helper app dialog where you can either save the file or choose a helper application to open the file. That will of course include Acrobat that is called directly as helper application but not with the plugin. Are you sure that the plugin is enabled again after calling Acrobat as helper application ?
(In reply to Matthias Versen (Matti) from comment #1) > Are you sure that the plugin is enabled again after calling Acrobat as > helper application ? Yes, the plugin remains enabled after using the helper app to open the file and then exiting the site. But Adobe has just issued details of a Zero Day exploit targeting Reader 9.4.6 and expects to release an out-of-cycle patch around 12 December. So hopefully, they'll update the Firefox plugin at the same time. Details here: http://blogs.adobe.com/asset/2011/12/background-on-cve-2011-2462.html
Adobe released Reader version 9.4.7 today to address the vulnerability, but the Firefox plugin version remains the same i.e. 9.4.5.236 This continues to expose users to the vulnerability reported in CVE-2011-2462 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2462 Immediate action needs to be taken to prevent the plugin from running in Firefox since not every user is likely to check the plugins manager after updating Reader.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.