If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Blocklist Flash 10 < 10.3.183.15 on Intel due to in-the-wild exploit

RESOLVED FIXED

Status

Camino Graveyard
Plug-ins
--
major
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Smokey Ardisson (offline for a while; not following bugs - do not email), Assigned: Smokey Ardisson (offline for a while; not following bugs - do not email))

Tracking

Details

(Whiteboard: [camino-2.1.1], URL)

Attachments

(2 attachments)

Current Flash vuln is apparently actively exploited in the wild.

Flash 10.3.183.15 (and 11.1.102.62, for anyone who has installed Flash 11) contain a fix for this.

We should consider blocklisting everything < 10.3.183.15 on Intel, and possibly 10.9 > everything < 11.1.102.62 for people who have, for whatever reason, updated to 11.x.

Ideally we'd do this for 2.1.1, but the timing of everything sucks (particularly if Adobe managed to fubar this update like they did for that one previous 11.x one).
Flags: camino2.1.1?
Created attachment 597668 [details] [diff] [review]
Blocks Flash < 10.3.183.15 on Intel

This is the simple option, which just revs the version struct for Intel.  Per bug 688370 comment 1, this has blanket-sr=smorgan because it's a 0-day.
Assignee: nobody → alqahira
Status: NEW → ASSIGNED
Created attachment 597670 [details] [diff] [review]
Complex fix to block old Flash 10 and also Flash 11 < 11.1.102.62

Here's the other version, which also blocks Flash 11 versions less than 11.1.102.62 if installed.  Not sure if this patch is the best way to deal with it or not.

I have no idea what might happen if the user has both Flash 10.3.x installed in the profile Internet Plug-Ins folder and 11 installed at the OS level; hopefully, the user will upgrade both at the same time!

Of course, you can't test either patch due to bug 667441 (and the whole blocklisting system may not work at all due to that), but we can try to do the right thing :P

Stuart, your call on which approach we choose.  Also, if we want to take this for 2.1.1, we should relnote it, I think.
Attachment #597670 - Flags: superreview?(stuart.morgan+bugzilla)
Blocks: 725812

Comment 3

6 years ago
Comment on attachment 597670 [details] [diff] [review]
Complex fix to block old Flash 10 and also Flash 11 < 11.1.102.62

Review of attachment 597670 [details] [diff] [review]:
-----------------------------------------------------------------

sr=smorgan, with some changes.

::: src/application/PluginBlocklistService.mm
@@ +139,2 @@
>        blocked = IsOlder(version, minFlashVersion);
> +    

Get rid of the spaces on this line.

@@ +140,5 @@
> +    
> +      // Flash 11 doesn't officially support Gecko 1.9.2, but users on 10.6 and
> +      // 10.7 may still have it installed instead of Flash 10.3.
> +      if (!blocked && version.major == 11) {
> +        VersionStruct minFlashElevenVersion = { 11, 1, 102, 62 };

Move this and the comment that's before the if block up to where the other version declarations are, just after the #endif. That will make it easier to maintain.

In fact... let's call it minUnsupportedFlashVersion and change the comment to "Flash 11+", then instead of 11 in the if, do:
  if (!blocked && version.major > minFlashVersion[0])

Then if two weeks from now Flash 12 comes out, and 11 is found to have a 0-day that's only fixed in 12, we can just change the version struct instead of the code.
Attachment #597670 - Flags: superreview?(stuart.morgan+bugzilla) → superreview+
I wasn't sure if it was worth doing a constant for Flash 11, but those changes certainly make things a lot nicer!

http://hg.mozilla.org/camino/rev/a2bb14dfa9f6 with those changes and "version.major > minFlashVersion.major" so that it compiles--review-coding strikes again! :)
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Flags: camino2.1.1? → camino2.1.1+
Resolution: --- → FIXED
Whiteboard: [camino-2.1.1]
You need to log in before you can comment on or make changes to this bug.