Closed Bug 783068 Opened 11 years ago Closed 11 years ago

Blocklist Flash 11 versions < 11.3.300.271 on Intel due to 0-day

Categories

(Camino Graveyard :: Plug-ins, defect)

Product:
Camino Graveyard
Component:
Plug-ins
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: alqahira, Assigned: alqahira)

Details

(Whiteboard: [camino-2.1.3])

Attachments

(1 file)

Flash 11
1.15 KB, patch
Details | Diff | Splinter Review
Attached patch Flash 11Splinter Review 
There's an in-the-wild attack (on Windows) exploiting Flash that Adobe just released Flash 11.3.300.271 to account for.

There was no corresponding Flash 10.3 release; it's unclear whether they've now EOLed Flash 10.3 (but their normal download site still offers it, rather than forcing you to get it from the giant "Archived Flash Player Versions" zip) or if Flash 10.3 wasn't affected.

If it's the former, we'll want to come up with some form of mitigation for anyone using 10.3.x (10.4-10.5 Intel, plus anyone on 10.6+ who has installed 10.3.x for Camino), but it's unclear at this time, so we'll just have to wait-and-see.
Pushed the Flash 11 block version-rev as http://hg.mozilla.org/camino/rev/992ad5aec6f4
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
To partially answer my question: today's (regularly-scheduled?) Flash critical update[1] replaced Flash 11.3.x with Flash 11.4.402.265, and updated Flash 10.3 to 10.3.183.23 (a jump from .20 to .23; intermediate versions never seem to have been released, based on the list of archived Flash player versions[2]).

[1] http://www.adobe.com/support/security/bulletins/apsb12-19.html
[2] http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html#main_Archived_versions

So, we continue to remain OK (fingers crossed, knock on wood, …).
You need to log in before you can comment on or make changes to this bug.