Closed Bug 727667 Opened 13 years ago Closed 13 years ago

Blocklist Flash 10 < 10.3.183.15 on Intel due to in-the-wild exploit

Categories

(Camino Graveyard :: Plug-ins, defect)

Product:
Camino Graveyard
Component:
Plug-ins
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alqahira, Assigned: alqahira)

References

(
URL
)

Details

(Whiteboard: [camino-2.1.1])

Attachments

(2 files)

Blocks Flash < 10.3.183.15 on Intel
1023 bytes, patch
Details | Diff | Splinter Review
Complex fix to block old Flash 10 and also Flash 11 < 11.1.102.62
2.21 KB, patch
stuart.morgan+bugzilla
: superreview+
Details | Diff | Splinter Review
Current Flash vuln is apparently actively exploited in the wild. Flash 10.3.183.15 (and 11.1.102.62, for anyone who has installed Flash 11) contain a fix for this. We should consider blocklisting everything < 10.3.183.15 on Intel, and possibly 10.9 > everything < 11.1.102.62 for people who have, for whatever reason, updated to 11.x. Ideally we'd do this for 2.1.1, but the timing of everything sucks (particularly if Adobe managed to fubar this update like they did for that one previous 11.x one).
Flags: camino2.1.1?
This is the simple option, which just revs the version struct for Intel. Per bug 688370 comment 1, this has blanket-sr=smorgan because it's a 0-day.
Assignee: nobody → alqahira
Status: NEW → ASSIGNED
Here's the other version, which also blocks Flash 11 versions less than 11.1.102.62 if installed. Not sure if this patch is the best way to deal with it or not. I have no idea what might happen if the user has both Flash 10.3.x installed in the profile Internet Plug-Ins folder and 11 installed at the OS level; hopefully, the user will upgrade both at the same time! Of course, you can't test either patch due to bug 667441 (and the whole blocklisting system may not work at all due to that), but we can try to do the right thing :P Stuart, your call on which approach we choose. Also, if we want to take this for 2.1.1, we should relnote it, I think.
Attachment #597670 - Flags: superreview?(stuart.morgan+bugzilla)
Comment on attachment 597670 [details] [diff] [review] Complex fix to block old Flash 10 and also Flash 11 < 11.1.102.62 Review of attachment 597670 [details] [diff] [review]: ----------------------------------------------------------------- sr=smorgan, with some changes. ::: src/application/PluginBlocklistService.mm @@ +139,2 @@ > blocked = IsOlder(version, minFlashVersion); > + Get rid of the spaces on this line. @@ +140,5 @@ > + > + // Flash 11 doesn't officially support Gecko 1.9.2, but users on 10.6 and > + // 10.7 may still have it installed instead of Flash 10.3. > + if (!blocked && version.major == 11) { > + VersionStruct minFlashElevenVersion = { 11, 1, 102, 62 }; Move this and the comment that's before the if block up to where the other version declarations are, just after the #endif. That will make it easier to maintain. In fact... let's call it minUnsupportedFlashVersion and change the comment to "Flash 11+", then instead of 11 in the if, do: if (!blocked && version.major > minFlashVersion[0]) Then if two weeks from now Flash 12 comes out, and 11 is found to have a 0-day that's only fixed in 12, we can just change the version struct instead of the code.
Attachment #597670 - Flags: superreview?(stuart.morgan+bugzilla) → superreview+
I wasn't sure if it was worth doing a constant for Flash 11, but those changes certainly make things a lot nicer! http://hg.mozilla.org/camino/rev/a2bb14dfa9f6 with those changes and "version.major > minFlashVersion.major" so that it compiles--review-coding strikes again! :)
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Flags: camino2.1.1? → camino2.1.1+
Resolution: --- → FIXED
Whiteboard: [camino-2.1.1]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: