Last Comment Bug 754723 - Consider blocklisting Flash versions <=10.2.159.1
: Consider blocklisting Flash versions <=10.2.159.1
Status: RESOLVED FIXED
[plugin]
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
Depends on:
Blocks: 758294
  Show dependency treegraph
 
Reported: 2012-05-13 15:30 PDT by Alex Keybl [:akeybl]
Modified: 2016-03-07 15:30 PST (History)
26 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Plugins pane after new flash installationI see a notification bar on Win 7 SP1 (32-bit). The problem is that after I update, I get BOTH the old version and the new version in my plugins list. (503.33 KB, image/png)
2012-05-15 17:25 PDT, Al Billings [:abillings]
no flags Details

Description Alex Keybl [:akeybl] 2012-05-13 15:30:12 PDT
Plugin name: Adobe Flash Player
Plugin versions to block: 10.2.159.1 or less
Applications, versions, and platforms affected: Firefox, all, all
Block severity: severity=0

How does this plugin appear in about:plugins?
    File: Flash Player.plugin
    Version: 10.2.159.1
    Description: Shockwave Flash

Reasons:
* Security vulnerabilities
* Crashiness
Comment 1 Alex Keybl [:akeybl] 2012-05-13 15:32:08 PDT
Based upon https://bugzilla.mozilla.org/show_bug.cgi?id=526019#c20, we may actually want to limit this block to 3.6 and later (since early versions are soft/hard blocks).

For now, let's stage this blocklist and evaluate the user experience before moving forward. Please add qawanted once it's pushed to staging.
Comment 2 Carsten Book [:Tomcat] 2012-05-13 22:58:42 PDT
might be related /dupe whatever to https://bugzilla.mozilla.org/show_bug.cgi?id=704158 or maybe we can dupe that bug to this bug here
Comment 3 Robert Kaiser 2012-05-14 03:36:57 PDT
Tomcat, yes, at least the discussion to get to this bug came out of my efforts for bug 704158. They're closely related, if not dupes.
Comment 4 Alex Keybl [:akeybl] 2012-05-14 07:59:21 PDT
Perhaps we want bug 704158 to track the longer term soft/hard block of these old versions of Flash? I'll let Jorge decide how he wants to track the work.
Comment 5 Jorge Villalobos [:jorgev] 2012-05-14 14:46:19 PDT
(In reply to Alex Keybl [:akeybl] from comment #0)
> Block severity: severity=0

That would be a hardblock (a softblock would be severity=1). Is that what we want? If so, I don't see why we would exclude Firefox versions older than 3.6.

(In reply to Alex Keybl [:akeybl] from comment #4)
> Perhaps we want bug 704158 to track the longer term soft/hard block of these
> old versions of Flash? I'll let Jorge decide how he wants to track the work.

I'm not sure what you mean by longer term. If the ultimate purpose of this bug is to block these old versions, then I'd rather dupe bug 704158 and keep track of things here.
Comment 6 Jorge Villalobos [:jorgev] 2012-05-14 15:28:32 PDT
OK, I have staged the block here:
https://addons-dev.allizom.org/en-US/firefox/blocked/p87

A few notes on this block:
* It is a softblock, so users should have the option to reject it or reverse it.
* It should work correctly on Mac OS X.
* On Windows I'm using the following RE to detect the file name: NPSWF[0-9_]*\.dll. The sample I got is NPSWF32_11_2_202_235.dll, and it'd be good to get some more, specially for the versions we intend to block.
* On Linux we have the problem that plugin version numbers are not reported to Firefox, so we can't use a version range. For now, the block doesn't include Linux. If we want to include it, we'll need samples of the description text for blocked and non-blocked versions of the plugin, so that I can come up with a RE that matches the description text correctly.
Comment 7 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-14 17:28:22 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #6)
> OK, I have staged the block here:
> https://addons-dev.allizom.org/en-US/firefox/blocked/p87

I've put together a test plan for Softvision to run through tonight:
https://etherpad.mozilla.org/flash-blocklist-10-2

Please review and if there are any issues bring them to my attention. If I don't hear back from you in the next couple of hours, I'll send it out to Softvision.
Comment 8 Al Billings [:abillings] 2012-05-14 17:44:38 PDT
Testplan looks fine to me.
Comment 9 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-14 17:48:14 PDT
Thanks Al. Test plan has been circulated. I will report results tomorrow morning.
Comment 10 Robert Kaiser 2012-05-15 04:33:42 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> (In reply to Alex Keybl [:akeybl] from comment #0)
> > Block severity: severity=0
> 
> That would be a hardblock (a softblock would be severity=1). Is that what we
> want?

On the security-group list, we were informed that severity=2 would be hardblock, 1 would be softblock and 0 would be only showing a notification bar in the browser that urges the user to update, with a link to plugincheck. Was that information wrong, or is that maybe not implemented on the server side?

> I'm not sure what you mean by longer term. If the ultimate purpose of this
> bug is to block these old versions, then I'd rather dupe bug 704158 and keep
> track of things here.

The current plan is to go with the notification bar for now and with a softblock later on (depending on what effect the notification bar bring and potentially UI improvements).


(In reply to Jorge Villalobos [:jorgev] from comment #6)
> * On Windows I'm using the following RE to detect the file name:
> NPSWF[0-9_]*\.dll. The sample I got is NPSWF32_11_2_202_235.dll, and it'd be
> good to get some more, specially for the versions we intend to block.

The version we want to block all have NPSWF32.dll as the filename, AFAIK including the version in the filename was only introduced with Flash 11.2.
Comment 11 Jorge Villalobos [:jorgev] 2012-05-15 08:23:58 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #10)
> On the security-group list, we were informed that severity=2 would be
> hardblock, 1 would be softblock and 0 would be only showing a notification
> bar in the browser that urges the user to update, with a link to
> plugincheck. Was that information wrong, or is that maybe not implemented on
> the server side?

My understanding is that there are only two levels: 0 for hardblock (default) and 1 for softblock. I wasn't aware of the notification bar option. I'll investigate, maybe things are different for plugin blocks.

> The version we want to block all have NPSWF32.dll as the filename, AFAIK
> including the version in the filename was only introduced with Flash 11.2.

OK, I modified the filename check to only match NPSWF32.dll on Windows.
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-15 10:11:14 PDT
The staged block appears to be working. The only issue that was reported was the following scenario:

1. Install Flash 10.1
2. Blocklist ping > restart to disable Flash
3. Enable Flash in the Add-ons Manager
4. Update to Flash 11.2 and restart Firefox

Result:
Flash 10.1 and 11.2 both appear in the Addons Manager enabled. Disabling Flash 11.2 continues to allow usage of Flash 10.2. It should be noted that I've spent an hour trying to reproduce this and cannot; updating Flash to 11.2 overwrites Flash 10.2 in all instances.

We could delay push to production further to do more testing around this scenario but I don't think it's a good use of our time. The risks of delaying block of Flash 10.2 is greater than the risks of this unreproducible edge-case, in my opinion.
Comment 13 Kev Needham [:kev] 2012-05-15 10:17:54 PDT
Are we planning on pushing this to production imminently?
Comment 14 Alex Keybl [:akeybl] 2012-05-15 10:21:42 PDT
(In reply to Kev [:kev] Needham from comment #13)
> Are we planning on pushing this to production imminently?

Nope, we'll need to finish evaluating the experience before going to production. Please wait on my go, which likely won't come this week.
Comment 15 Alex Keybl [:akeybl] 2012-05-15 10:23:13 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> (In reply to Alex Keybl [:akeybl] from comment #0)
> > Block severity: severity=0
> 
> That would be a hardblock (a softblock would be severity=1). Is that what we
> want? If so, I don't see why we would exclude Firefox versions older than
> 3.6.

Dan V suggested that there's an intermediate option (notification bar for outdated plugins) in email and subsequently in https://bugzilla.mozilla.org/show_bug.cgi?id=526019#c20

This bug isn't meant to cover a soft/hard block, only the use of the outdated plugin notification.
Comment 16 Jorge Villalobos [:jorgev] 2012-05-15 12:56:25 PDT
Mossop has confirmed that comment #10 is right about block levels, though he pointed out it has never been used in practice and should be tested carefully.

I've changed the block to have severity=0. Please test again. In this case, you should get a notification bar telling you the plugin is outdated. The plugin should not be disabled.
Comment 17 Robert Kaiser 2012-05-15 13:07:04 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #16)
> Mossop has confirmed that comment #10 is right about block levels, though he
> pointed out it has never been used in practice and should be tested
> carefully.

Good, and yes, this is probably a first, reason enough to both test it well and actually use a feature that has been there resting for a while. :)

> I've changed the block to have severity=0.

Thanks, let's hope testing works out well. :)
Comment 18 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-15 13:20:22 PDT
Just confirming the desired behaviour before I put in the effort to retest this...

> 1. Install Flash 10.2
> 2. Force blocklist ping to staging
> 3. Notification bar appears warning user of unsafe Flash version
> 4. Test enable/disable/upgrade scenarios as before

Is this correct?
Comment 19 Jorge Villalobos [:jorgev] 2012-05-15 13:33:53 PDT
3. Notification bar appears warning user of outdated Flash version. The plugin will continue to be enabled.
4. Clicking on the button in the notification should take you to the plugin check page where you can upgrade Flash. After updating Flash, the notification shouldn't appear again.

I don't think we need to do any status testing since this block level doesn't do anything to the plugin status.
Comment 20 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-15 13:35:14 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #19)
> After updating Flash, the notification shouldn't appear again.

Is there a way to force this check or adjust timers so I'm not waiting indefinitely?
Comment 21 Kev Needham [:kev] 2012-05-15 14:58:42 PDT
My preferred way is to clear app.update.lastUpdateTime.blocklist-background-update-timer and restart. You can also set extensions.blocklist.interval to something like 60 seconds, but that's not really recommended if you forget to set it back :D

kev

(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #20)
> (In reply to Jorge Villalobos [:jorgev] from comment #19)
> > After updating Flash, the notification shouldn't appear again.
> 
> Is there a way to force this check or adjust timers so I'm not waiting
> indefinitely?
Comment 22 Dave Townsend [:mossop] 2012-05-15 15:12:06 PDT
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #20)
> (In reply to Jorge Villalobos [:jorgev] from comment #19)
> > After updating Flash, the notification shouldn't appear again.
> 
> Is there a way to force this check or adjust timers so I'm not waiting
> indefinitely?

I wrote an add-on that adds a thing to the tools menu to manually trigger certain timers: https://addons.mozilla.org/en-US/firefox/addon/timer-fire/
Comment 23 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-15 15:41:49 PDT
I'm not seeing a notification bar after forcing a ping, although p87 appears in my blocklist.xml file.

Firefox 12.0 en-US on Windows 7 64-bit.
Comment 24 Al Billings [:abillings] 2012-05-15 17:25:45 PDT
Created attachment 624253 [details]
Plugins pane after new flash installationI see a notification bar on Win 7 SP1 (32-bit). The problem is that after I update, I get BOTH the old version and the new version in my plugins list.

I see a notification bar on Win 7 SP1 (32-bit). The problem is that after I update, I get BOTH the old version and the new version in my plugins list.
Comment 25 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-16 09:35:31 PDT
(In reply to Al Billings [:abillings] from comment #24)
> I see a notification bar on Win 7 SP1 (32-bit). The problem is that after I
> update, I get BOTH the old version and the new version in my plugins list.

Interesting; this was a problem Softvision was seeing yesterday but I was unable to reproduce.
Comment 26 Alex Keybl [:akeybl] 2012-05-16 10:49:23 PDT
(In reply to Al Billings [:abillings] from comment #24)
> I see a notification bar on Win 7 SP1 (32-bit). The problem is that after I
> update, I get BOTH the old version and the new version in my plugins list.

Cheng sent email about this - looks like bug 686335 is causing the old Flash plugin to stay registered till system restart (at which point it's removed). 

Al - does the notification bar continue to drop down after installing the newer version (across browser restarts, etc.)? Also, can you confirm that a system restart removed the older version?
Comment 27 Al Billings [:abillings] 2012-05-16 13:42:50 PDT
(In reply to Alex Keybl [:akeybl] from comment #26)

> Al - does the notification bar continue to drop down after installing the
> newer version (across browser restarts, etc.)? Also, can you confirm that a
> system restart removed the older version?

There is no notification bar after the upgrade. I rebooted the machine and the old version is no longer mentioned, as you described.
Comment 28 Alex Keybl [:akeybl] 2012-05-16 17:32:55 PDT
(In reply to Al Billings [:abillings] from comment #27)
> There is no notification bar after the upgrade. I rebooted the machine and
> the old version is no longer mentioned, as you described.

Given this, I don't think that issue is a blocker. I think the only remaining issue is comment 23.

Anthony, were you able to ever get the notification bar to come down?
Comment 29 [:Cww] 2012-05-16 18:10:05 PDT
The only annoying thing would be that if a user tries to plugincheck again (or still has the tab open) it'll say that they're still out of date until they actually restart their computer.  (And they're correspondingly not-safe)
Comment 30 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-17 09:55:44 PDT
(In reply to Alex Keybl [:akeybl] from comment #28)
> Anthony, were you able to ever get the notification bar to come down?

I think my steps need clarification; I might have been testing this incorrectly.

> 1. Install Flash 10.1
> 2. Force a blocklist ping to staging
No notification bar appears. I was expecting it to appear at this point based on comment 19.
> 3. Go to YouTube.com
Notification bar appears stating "Some plugins used by this page are out of date"
Comment 31 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-17 10:02:35 PDT
Furthermore, after updating Flash I did not see another notification bar, and I've still not experienced the double version that Al and Softvision reported.
Comment 32 Alex Keybl [:akeybl] 2012-05-17 10:59:16 PDT
(In reply to [:Cww] from comment #29)
> The only annoying thing would be that if a user tries to plugincheck again
> (or still has the tab open) it'll say that they're still out of date until
> they actually restart their computer.  (And they're correspondingly not-safe)

This is correct, but I think the pros of having them update and be safe on next restart outweigh the cons around the possibility of confusion.
Comment 33 Alex Keybl [:akeybl] 2012-05-18 16:26:52 PDT
Unless there are any remaining concerns, we plan to roll this to production on 5/23.
Comment 34 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-19 14:18:00 PDT
There was an ask last Thursday's channel meeting for QA to verify UX for a couple of scenarios. 

> 1. What happens when a user dismisses the notification bar?
> 2. What happens when a user has Flash content loaded in multiple tabs?
> 3. What happens when a user has multiple "blocked" plugins installed?

Unfortunately, I can't seem to get the block working now. I have the correct entry in a new profile's blocklist.xml after forcing a ping but when I load Flash content with Flash 10.1r82 installed I don't see a notification bar and the Flash content is not blocked.

Since it's now the weekend and I am off Monday due to a public Holiday in Canada, I ask that someone else please test this. Either I'm doing something wrong or the block is not 100%.
Comment 35 juan becerra [:juanb] 2012-05-21 12:02:30 PDT
Using Fx12, Flash 10.2.153.1, Win7 (32bit).

This is the current staged blocklist entry:

<pluginItem blockID="p87">
<match name="filename" exp="(NPSWF32\.dll)|(Flash\ Player\.plugin)"/>
<versionRange minVersion="0" maxVersion="10.2.159.1" severity="0"/>
</pluginItem>

1. If you dismiss the notification bar, it does just that. The video keeps playing while the notification is up and after you dismiss it. If you reload the page (say Youtube) or if you restart your browser, the notification will appear again.

2. When the user has Flash content in multiple tabs, the notification will appear on each of those tabs.

3. Still working on this one.
Comment 36 juan becerra [:juanb] 2012-05-21 13:11:23 PDT
3. I couldn't get another plugin that was blocked with the same severity on either Mac or Windows. I tried editing the blocklist file to see if I could get blocked versions of the Java/Adobe Reader plugins to be treated like the blocked version of Flash, but in the end those are just plain disabled so I couldn't see notification bars for those.
Comment 37 Robert Kaiser 2012-05-21 13:37:25 PDT
(In reply to juan becerra [:juanb] from comment #36)
> 3. I couldn't get another plugin that was blocked with the same severity

This is the first time we are using severity=0 at all. I guess you'd need to manually modify another block to severity=0 to test this.
Comment 38 juan becerra [:juanb] 2012-05-21 14:07:12 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #37)
> (In reply to juan becerra [:juanb] from comment #36)
> > 3. I couldn't get another plugin that was blocked with the same severity
> 
> This is the first time we are using severity=0 at all. I guess you'd need to
> manually modify another block to severity=0 to test this.

I tried modifying several blocks to severity=0 per comment #36 in which I didn't explain this is one of the things I had tried. Also, I member having seen this type of severity in years past (at least through testing of the system).
Comment 39 Jorge Villalobos [:jorgev] 2012-05-23 09:16:17 PDT
The notification bar "block" is live now: https://addons.mozilla.org/en-US/firefox/blocked/p94
Comment 40 Michael Coates [:mcoates] (acct no longer active) 2012-05-23 09:18:28 PDT
Since we are doing severity=0 info bar "blocking" is it really correct to say "Flash Player Plugin has been blocked for your protection."?

The infobar doesn't actually block, it just provides a warning message and still allows the flash plugin to be used.
Comment 41 Jorge Villalobos [:jorgev] 2012-05-23 10:08:14 PDT
That message is hard-coded in the block pages. I edited the description to try to explain the kind of block this is.
Comment 42 chris hofmann 2012-05-23 11:31:37 PDT
we can watch these reports for drops in the frequency of particular flash being around at the time of crashes.

https://crash-analysis.mozilla.com/chofmann/20120522/flash-version-breakdown.txt

After this runs a bit I can scrape data over several days to see any trends a bit easier.

Kairo has a report running as well.
Comment 43 Johnathan Nightingale [:johnath] 2012-05-23 11:37:11 PDT
(In reply to chris hofmann from comment #42)
> we can watch these reports for drops in the frequency of particular flash
> being around at the time of crashes.
> 
> https://crash-analysis.mozilla.com/chofmann/20120522/flash-version-breakdown.
> txt
> 
> After this runs a bit I can scrape data over several days to see any trends
> a bit easier.
> 
> Kairo has a report running as well.

Perfect, thanks chofmann/kairo!

(In reply to Jorge Villalobos [:jorgev] from comment #41)
> That message is hard-coded in the block pages. I edited the description to
> try to explain the kind of block this is.

Is there a bug to have that changed?
Comment 44 Jorge Villalobos [:jorgev] 2012-05-23 11:53:07 PDT
(In reply to Johnathan Nightingale [:johnath] from comment #43)
> (In reply to Jorge Villalobos [:jorgev] from comment #41)
> > That message is hard-coded in the block pages. I edited the description to
> > try to explain the kind of block this is.
> 
> Is there a bug to have that changed?

There's an Add-ons Work Week planned for early June where we will discuss a number of changes to the blocklist mechanism. I'll make sure this is brought up.
Comment 45 Alex Keybl [:akeybl] 2012-05-23 12:35:06 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #39)
> The notification bar "block" is live now:
> https://addons.mozilla.org/en-US/firefox/blocked/p94

Since this block is out of the ordinary, let's verify that things are working as expected. Adding qawanted to verify that this is fixed.
Comment 46 Robert Kaiser 2012-05-23 13:24:21 PDT
(In reply to chris hofmann from comment #42)
> Kairo has a report running as well.

FYI, my reports are e.g. https://crash-analysis.mozilla.com/rkaiser/2012-05-22/2012-05-22.firefox.12.0.flashhangs.html - they separately look at how Flash hangs and crashes spread across Flash versions and compare if a versions gets a higher percentage of crashes or hangs.
Comment 47 Jorge Villalobos [:jorgev] 2012-05-23 14:43:45 PDT
According to some people I've talked to, updating the Flash plugin for Windows not only installs Google Chrome but also set it up as the default browser. So I guess we're losing those crashes one way or another :\

Just wanted to point this out as an unwanted side effect of these blocks (and the Adobe plugin in general).
Comment 48 juan becerra [:juanb] 2012-05-23 14:53:39 PDT
(In reply to Alex Keybl [:akeybl] from comment #45)
> (In reply to Jorge Villalobos [:jorgev] from comment #39)
> > The notification bar "block" is live now:
> > https://addons.mozilla.org/en-US/firefox/blocked/p94
> 
> Since this block is out of the ordinary, let's verify that things are
> working as expected. Adding qawanted to verify that this is fixed.

This is fixed in production. Tested with Fx12 and Fx3.6.28 on Windows XP. When you play a video in youtube.com using a version of Flash <= 10.2.159.1 you get the notification bar. If you are up to date, there's no notification bar.
Comment 49 broc 2012-05-29 03:04:13 PDT
Since May 23th and Shockwave Flash 10.1 r102 blocked, I cannot use Firefox 3.0.5 properly. 
Anyway, I'm working without problem since years on Mac Mini PowerPC G4. Acctually it is not possible to upgrade Shockwave Flash 10.1 r102 on my Mac.
How can I reactivate Shockwave Flash 10.1 r102 please?
Comment 50 Matthias Versen [:Matti] 2012-05-29 05:23:55 PDT
broc@swing.be:
switch extensions.blocklist.enabled in about:config (enter as url) to false and remove the file blocklist.xml in your firefox profile.
Comment 51 broc 2012-05-29 05:44:55 PDT
(In reply to Matthias Versen (Matti) from comment #50)
> broc@swing.be:
> switch extensions.blocklist.enabled in about:config (enter as url) to false
> and remove the file blocklist.xml in your firefox profile.

Great! Tks you very much!
Comment 52 Robert Kaiser 2012-05-29 05:55:19 PDT
(In reply to broc from comment #49)
> Since May 23th and Shockwave Flash 10.1 r102 blocked, I cannot use Firefox
> 3.0.5 properly. 

We didn't block Flash at all in this bug. We only added display of a notification bar. One possibility is that your ancient and insecure Firefox 3.0 doesn't know about the different severities in the blocklist and therefore interprets our action as a block.
Even on a G4 I guess you should be able to run at least Firefox 3.6 or even TenFourFox, at least if you have OSX 10.4 or even 10.5 installed.

In any case, using this Firefox version and any unmaintained OS version (which you pretty sure have, as Apple only maintains 10.6 and up at this time) is a big risk to your computer, your data and yourself. Turning the blocklist on or off doesn't make it worse, at least, you're heavily at risk in any case.
Comment 53 Terry R. 2012-05-29 10:07:01 PDT
(In reply to Matthias Versen (Matti) from comment #50)
> broc@swing.be:
> switch extensions.blocklist.enabled in about:config (enter as url) to false
> and remove the file blocklist.xml in your firefox profile.

Matthias,

I've received many Mozilla webmaster emails from PPC users complaining about not being able to access many web pages now.  Will changing the pref above allow Flash for them, or do they also need to remove the file also?  Does this also affect Java?
Comment 54 Jorge Villalobos [:jorgev] 2012-05-29 11:04:26 PDT
Changing the pref will only stop Firefox from reloading the blocklist, which we strongly recommend against. If they want to remove the Flash block, they will need to change the pref *and* either delete the file (which will remove *all* blocks, including Java) or open it and remove entry p94, if they know what they're doing.
Comment 55 Terry R. 2012-05-29 11:17:25 PDT
Thanks Jorge.  These users can't update Flash or Java, and if Firefox won't work on web pages, they'll use Safari and forget about Firefox.  I've had many already state, "Firefox doesn't work but Safari does, why?"  As long as they have their old PPC's they can't update their plugins.
Comment 56 Al Billings [:abillings] 2012-05-29 11:55:09 PDT
Using out of date versions of Firefox on operating systems that are no longer supported by their vendors means that these users, regardless of whether they are using Firefox or Safari, are likely to pick up malware and have their computers compromised sooner or later. It is a nasty Internet out there and out of support systems are going to get infected in all likelihood.
Comment 57 Terry R. 2012-05-29 12:00:40 PDT
(In reply to Al Billings [:abillings] from comment #56)
> Using out of date versions of Firefox on operating systems that are no
> longer supported by their vendors means that these users, regardless of
> whether they are using Firefox or Safari, are likely to pick up malware and
> have their computers compromised sooner or later. It is a nasty Internet out
> there and out of support systems are going to get infected in all likelihood.

I understand that, as I'm a computer consultant.  But blocking Firefox from being used will only frustrate users who have good working computers that can't afford to purchase a new one.  And the likelihood of a PPC user getting malware is a lot less than a PC (note I said "less").
Comment 58 Matthias Versen [:Matti] 2012-05-29 12:13:40 PDT
I posted the instructions in comment#50 only for this case: 
Unsupported browser version,plugin version, OS version and hardware platform (PPC).
This users are already affected by the out of date browser and a vulnerable plugin will not add much additional security risk. I recommend to disable the infobar for firefox versions that did not block the plugin (bug 758294). 

I know that i will get SPAM mails in the future from this botnet drones but PPC may limit this :-(
Comment 59 broc 2012-06-06 00:36:51 PDT
Duplicate of this bug: 761724
Comment 60 patrick.helm 2012-06-17 15:38:13 PDT
Has anyone else noticed that on Mac OS X, 10.6.8 clients, Firefox 3.05 or even current v12 (doesn't matter), does not correctly identify the version of flash.

We have v11+ and it says it in the add-ons section, but it still blocks this.

IT IS ONLY ON NETWORK HOMES - comapred to local home accounts.

The Local user admin works fine.

PLEASE HELP - schools - and managed networks are failing and resorting to safari.
Comment 61 Alex Keybl [:akeybl] 2012-06-17 15:50:31 PDT
(In reply to patrick.helm from comment #60)
> Has anyone else noticed that on Mac OS X, 10.6.8 clients, Firefox 3.05 or
> even current v12 (doesn't matter), does not correctly identify the version
> of flash.
> 
> We have v11+ and it says it in the add-ons section, but it still blocks this.
> 
> IT IS ONLY ON NETWORK HOMES - comapred to local home accounts.
> 
> The Local user admin works fine.
> 
> PLEASE HELP - schools - and managed networks are failing and resorting to
> safari.

On newer versions of Firefox that support the infobar 'block' (FF4 and up), we are only notifying the user that their version of Flash is vulnerable. We are not blocking Flash from use, merely notifying that it should be updated. If mistakenly displaying the out-of-date Flash notification bar is a critical issue for you all, I suggest you disable the blocklist check (as in comment 50).

I'm adding the qawanted keyword to see if we can test the combination of a 10.6.8 network home, FF13, and a Flash version >10.2.159.1, to verify your issue. Any additional info would be helpful - where Flash was installed, whether the application or just the profile was on the network home, etc. We'll file a separate bug if we end up reproducing the problem, and fix the problem on our end.

Firefox 3.0.5 is unsupported by Mozilla, and therefore we won't be investigating any further there.
Comment 62 patrick.helm 2012-06-17 16:38:45 PDT
Hi, 
Whilst i appreciate the quick response, I'm not sure if you noticed the specifics of the issue.
It's not the firefox version that's of interest here, it's the type of network/local account scenario that changes the behaviour.
In firefox v3 or v12 (no difference), via a network authenticated login on the Mac, the user has flash blocked even though it is 11.*

When logged in as a local admin on the machine, the behaviour is normal.
When logged in as a network admin, the behaviour is abnormal.
When logged in as a standard network user, the behaviour is abnormal.

The option to remove and edit 600+ individual profiles, unless you can tell me how to script on a mac, the change to the about:config section, is not viable.

I hope this helps the clarification.

If they can't replicate, I'll try to get you guys the specific flash version, it wasn't absolutely current, but when is it - they release new ones every second day - much like firefox :P

I re-read your post and realised you have understood the issue in the 2nd last paragraph.. so cheers.
Comment 63 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-19 12:39:22 PDT
Alex, would it be possible to forward your qawanted request on to the Enterprise Testers list? I believe Patrick's problem requires an environment where network authentication is required to gain access to the operating system. I don't believe we have access to this type of environment for testing.

I believe the testing should be:
1) As a local admin, install Firefox 13.0.1 and Flash 10.2.159.1, log out
2) As a network admin, start Firefox and check the Flash version in about:plugins
3) As a network user, start Firefox and check the Flash version in about:plugins
4) As a local admin, update to the latest Flash 11.3 and repeat steps 2 & 3

I would expect the Flash version to match correctly.
Comment 64 Alex Keybl [:akeybl] 2012-06-19 12:42:07 PDT
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #63)
> Alex, would it be possible to forward your qawanted request on to the
> Enterprise Testers list?

Done.
Comment 65 chris hofmann 2012-06-19 12:54:09 PDT
number of crash reports where 10.2.59.1 was reported is about 60% of what it was a few weeks ago.

date     pct.   count   flash version

20120501 0.007 	571	10.2.159.1
20120502 0.009 	699	10.2.159.1
20120503 0.008 	624	10.2.159.1
20120504 0.007 	579	10.2.159.1
20120505 0.006 	569	10.2.159.1
20120506 0.007 	598	10.2.159.1
20120507 0.007 	567	10.2.159.1
20120508 0.008 	615	10.2.159.1
20120509 0.007 	533	10.2.159.1
20120510 0.007 	571	10.2.159.1
20120511 0.008 	610	10.2.159.1
20120512 0.007 	550	10.2.159.1
20120513 0.009 	618	10.2.159.1
20120514 0.007 	543	10.2.159.1
20120515 0.008 	614	10.2.159.1
20120516 0.007 	552	10.2.159.1
20120517 0.008 	638	10.2.159.1
20120518 0.007 	536	10.2.159.1
20120519 0.008 	565	10.2.159.1
20120520 0.007 	514	10.2.159.1
20120521 0.008 	585	10.2.159.1
20120522 0.008 	623	10.2.159.1
20120523 0.008 	599	10.2.159.1
20120524 0.007 	557	10.2.159.1
20120525 0.007 	535	10.2.159.1
20120526 0.007 	489	10.2.159.1
20120527 0.007 	497	10.2.159.1
20120528 0.006 	457	10.2.159.1
20120529 0.007 	514	10.2.159.1
20120530 0.007 	496	10.2.159.1
20120531 0.006 	443	10.2.159.1
20120601 0.006 	434	10.2.159.1
20120602 0.006 	431	10.2.159.1
20120603 0.006 	430	10.2.159.1
20120604 0.006 	443	10.2.159.1
20120605 0.005 	394	10.2.159.1
20120606 0.005 	384	10.2.159.1
20120607 0.005 	376	10.2.159.1
20120608 0.006 	467	10.2.159.1
20120609 0.005 	409	10.2.159.1
20120610 0.005 	445	10.2.159.1
20120611 0.004 	416	10.2.159.1
20120612 0.003 	382	10.2.159.1
20120613 0.003 	363	10.2.159.1
20120614 0.003 	398	10.2.159.1
20120615 0.003 	421	10.2.159.1
20120616 0.003 	416	10.2.159.1
20120617 0.003 	395	10.2.159.1
Comment 66 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-21 15:34:59 PDT
I don't think we need qawanted on this bug anymore, removing it.
Comment 67 patrick.helm 2012-07-29 18:54:05 PDT
Loading 14.0.1 on Network Login style machine on Mac OS X 10.6.8 still causes the Adobe Flash Plugin to be disabled.

flash version 11.3.300.265.

Network account login fails.
Local account is ok.

Note You need to log in before you can comment on or make changes to this bug.