Closed Bug 797378 Opened 7 years ago Closed 7 years ago

Deploy click-to-play and info bar blocks on popular plugins

Categories

(Toolkit :: Blocklist Policy Requests, defect)

defect
Not set

Tracking

()

VERIFIED FIXED

People

(Reporter: jorgev, Assigned: jorgev)

References

(Depends on 1 open bug, )

Details

We're staging some CTP blocks so we can test the feature. See Etherpad for the list to block: https://bsmedberg.etherpad.mozilla.org/ff15-ctp-blocklist-proposal

I'll block a few of these so we can verify that it works correctly.
QA Contact: paul.silaghi
QA Contact: paul.silaghi
QA Contact: paul.silaghi
I didn't add the Java blocks, since they're apparently missing information.

I talked to Paul earlier and he is just done for the day, so I thing someone else will need to do the testing if we want the results as early as possible.
Status: NEW → RESOLVED
Closed: 7 years ago
Keywords: qawanted
Resolution: --- → FIXED
Is this block platform specific or does it need testing across all platforms?
QA Contact: paul.silaghi → anthony.s.hughes
Also what versions of Firefox does this need testing with? Firefox 16b6 I assume?
All blocks are Windows-only, and they should be tested in Firefox 17 to see the CTP block, and Firefox 16b6 to see the infobar block.
(In reply to Jorge Villalobos [:jorgev] from comment #7)
> I didn't add the Java blocks, since they're apparently missing information.
> 
> I talked to Paul earlier and he is just done for the day, so I thing someone
> else will need to do the testing if we want the results as early as possible.

I added Java 7 previously, what exactly do you need?
Unlike other blocks in the Etherpad, it doesn't say which version ranges to block.
dveditz or mcoates were supposed to provide the specific Java version information.
The block does not appear to be working properly. With Flash 10.1.85.3 I am seeing an info-bar with Firefox 17.0a2 2012-10-03. I would expect to experience a CTP block on Firefox 17. Blocklist.xml appears to be properly updated:

<pluginItem  blockID="p139">
<match name="filename" exp="NPSWF32\.dll" />
<versionRange  minVersion="0" maxVersion="10.3.183.19" severity="0" vulnerabilitystatus="1">
</versionRange>
</pluginItem>
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Pinged David about this - hopefully he'll be able to help us figure out what's wrong.
I'm pretty sure this is the culprit:

<pluginItem blockID="p94">
<match name="filename" exp="(NPSWF32\.dll)|(Flash\ Player\.plugin)"/>
<versionRange minVersion="0" maxVersion="10.2.159.1" severity="0"/>
</pluginItem>

p94 is essentially overriding p139 with an infobar.
Anthony, can you test a version higher than 10.2.159.1 and lower or equal to 10.3.183.19?
I tried Flash 10.3.181.14 and it appears the CTP block works in this instance. Loading a YouTube video overlays the video with the following warning:

This plugin is vulnerable and should be updated. 
__Check for updates__...
Click here to activate the Adobe Flash plugin.

Adobe Flash remains enabled in the Add-ons Manager.
Clicking the overlay plays the video.
Reloading the page redisplays the overlay.
Clicking "Check for updates" loads the PFS page in a new tab.

I suppose this is the UX we are looking for but that the p94 block is overriding this one for affected versions.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #18)
> Adobe Flash remains enabled in the Add-ons Manager.

Bug 772897 adds some UI to indicate the vulnerability status in the addons manager, but it hasn't been uplifted. I flagged the patch approval-mozilla-aurora? today.
I think we should hold off on testing Aurora until that lands so we can test the complete end-to-end experience. Though that should not block testing the Firefox 16b6 info-bar experience. Any objections?
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #13)
> dveditz or mcoates were supposed to provide the specific Java version
> information.

Java 7.x (Update 0 through 6)
Does not impact Java 6 and below
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #20)
> I think we should hold off on testing Aurora until that lands so we can test
> the complete end-to-end experience. Though that should not block testing the
> Firefox 16b6 info-bar experience. Any objections?

I spoke with Alex Keybl about this on IRC and he doesn't think that bug 772897 blocks any further testing. Unfortunately, I won't have enough time to finish up the testing today but I've instructed Paul to take over tonight. For those of you interested, our test plan is here:
https://wiki.mozilla.org/QA/Plugins/CTP_Blocklist

Paul, please reassign me as the QA Contact in the morning so I can pick up where you leave off.
QA Contact: anthony.s.hughes → paul.silaghi
Hi guys,

I see the following behavior on FF 16b6 and not convinced it's the right one:
1. Force the blocklist ping
2. Open a youtube video => the video is click-to-play (old UI)
3. Click on the video => infobar saying "Some plugins user by this page are out of date"

What do you think?
Also after updating flash, the block/notification won't disappear only after restarting FF.
FF16 should not be showing CTP UI under any circumstances. That should have been fixed by bug 793273.
Adobe Flash 11.2.202.235, Adobe Flash 11.3.300.271 are not blocked.
<pluginItem  blockID="p141">
                  <match name="filename" exp="NPSWF32\.dll" />                      <versionRange  minVersion="11.0" maxVersion="11.3.9999" severity="0" vulnerabilitystatus="1"></versionRange> 

I think this is because starting with Flash 11.2.xxx.xxx the dlls have different names:
File:  NPSWF32_11_2_202_235.dll
(In reply to Paul Silaghi [QA] from comment #23)
> Hi guys,
> 
> I see the following behavior on FF 16b6 and not convinced it's the right one:
> 1. Force the blocklist ping
> 2. Open a youtube video => the video is click-to-play (old UI)
> 3. Click on the video => infobar saying "Some plugins user by this page are
> out of date"
> 
> What do you think?

Actually this happens only if forcing the ping in Aurora first(and see the CTP block) and using the same profile in Beta 6 then. Tested with Flash 10.3.181.34, Adobe Reader 8.1.3.187, Silverlight 4.0.60531.0
If running vice-versa, force ping in FF 16b6 - everything will be ok here, but nothing will be blocked in FF 17 using the same profile.
I'm reproducing what Paul reports in comment 26.

Flash 11.3.300.273 is not blocked at all. The DLL is NPSWF32_11_3_300_273.dll which is not captured by "NPSWF32\.dll". I think the p141 block needs to be updated.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #29)
> I'm reproducing what Paul reports in comment 26.
> 
> Flash 11.3.300.273 is not blocked at all. The DLL is
> NPSWF32_11_3_300_273.dll which is not captured by "NPSWF32\.dll". I think
> the p141 block needs to be updated.

As per previous testing, the first version to use version number in the DLL name was Flash 11.2.202.228; the last version to use NPSWF32.dll was Flash 11.1.102.63.
I just updated the regular expression to NPSWF32[0-9_]*\.dll. It should be updated in the downloaded blocklist within an hour.
Question about Reader, should Adobe Reader 10.1.3.23 be blocked?

<pluginItem  blockID="p145">
<match name="filename" exp="nppdf32\.dll" />
<versionRange  minVersion="10.0" maxVersion="10.1.3" severity="0" vulnerabilitystatus="1"></versionRange>
</pluginItem>
It's not supposed to be blocked given how the block is currently set up. I don't know if the block should cover those versions too, though. The etherpad says to block up to 10.1.3, but maybe they meant 10.1.3.*
FWIW, all Reader versions have a x.x.x.x version string in about:plugins, even though Adobe calls them version x.x.x.
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> Silverlight below 4.1.10329.0
> https://addons-dev.allizom.org/en-US/firefox/blocked/p147
>
> Silverlight 5.0 to 5.1.10410.0
> https://addons-dev.allizom.org/en-US/firefox/blocked/p149

QA signs off the Silverlight staged blocks.
(In reply to Jorge Villalobos [:jorgev] from comment #3)
> Adobe Reader 9.5.1 and lower:
> https://addons-dev.allizom.org/en-US/firefox/blocked/p143

QA signs off the staged block for Adobe Reader 9.5.1 and lower.
(In reply to Jorge Villalobos [:jorgev] from comment #2)
> Adobe Flash 11.0 -> 11.4
> https://addons-dev.allizom.org/en-US/firefox/blocked/p141

QA signs off the staged block for Adobe Flash 11.0 to 11.4.
(In reply to Jorge Villalobos [:jorgev] from comment #4)
> Adobe Reader 10.0 to 10.1.3
> https://addons-dev.allizom.org/en-US/firefox/blocked/p145

QA signs off the staged Block for Adobe Reader 10 to 10.1.3, assuming the fact that 10.1.3.* builds not being blocked is not a blocker.
(In reply to Jorge Villalobos [:jorgev] from comment #1)
> Adobe Flash 10.3.183.19 and lower:
> https://addons-dev.allizom.org/en-US/firefox/blocked/p139

QA signs off the staged block for Adobe Flash 10.3.183.19 and lower, assuming the fact that Flash <10.2.159.1 are info-bar blocked instead of CTP blocked due to block p94 is not a blocker.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #39)
> assuming the fact that Flash <10.2.159.1 are info-bar blocked instead of CTP
> blocked due to block p94 is not a blocker.

Personally, I think this is something that should be fixed.
So, do you want me to remove the previous block? That should fix the problem.
(In reply to Jorge Villalobos [:jorgev] from comment #41)
> So, do you want me to remove the previous block? That should fix the problem.

Sounds good :)
OK, it's done on staging now.

I'm also changing this bug to include pushing these blocks to production.
Summary: Stage CTP blocks for testing → Deploy click-to-play and info bar blocks on popular plugins
I think we should probably replace all infobar blocks with CTP blocks because of the better UX. But that's just my opinion. ;-)
(In reply to Jorge Villalobos [:jorgev] from comment #43)
> OK, it's done on staging now.

Flash <10.2.159.1 works as a CTP block now. I see no blockers to pushing to production.
(In reply to Jorge Villalobos [:jorgev] from comment #1)
> Adobe Flash 10.3.183.19 and lower:
> https://addons-dev.allizom.org/en-US/firefox/blocked/p139

This block has been updated to exclude 10.3 and above. It now blocks 10.2.* and lower.
Pushed to production (all Windows-only):

Silverlight 4.1.10328.0 and lower
https://addons.mozilla.org/en-US/firefox/blocked/p152

Silverlight 5.0 to 5.1.10410.0
https://addons.mozilla.org/en-US/firefox/blocked/p154

Adobe Reader 9.5.1 and lower
https://addons.mozilla.org/en-US/firefox/blocked/p156

Adobe Reader 10.0 to 10.1.3
https://addons.mozilla.org/en-US/firefox/blocked/p158
(In reply to Jorge Villalobos [:jorgev] from comment #46)
> (In reply to Jorge Villalobos [:jorgev] from comment #1)
> > Adobe Flash 10.3.183.19 and lower:
> > https://addons-dev.allizom.org/en-US/firefox/blocked/p139
> 
> This block has been updated to exclude 10.3 and above. It now blocks 10.2.*
> and lower.

QA signs off this updated block. Flash 10.3 and above are no longer blocked, Flash 10.2 and below are info-bar blocked in Firefox 16 and CTP blocked in Firefox 17.
(In reply to Jorge Villalobos [:jorgev] from comment #47)
> Pushed to production (all Windows-only):
> 
> Silverlight 4.1.10328.0 and lower
> https://addons.mozilla.org/en-US/firefox/blocked/p152

QA signs off the Silverlight 4.1.10328.0 and lower live block.
(In reply to Jorge Villalobos [:jorgev] from comment #47)
> Pushed to production (all Windows-only):
>
> Silverlight 5.0 to 5.1.10410.0
> https://addons.mozilla.org/en-US/firefox/blocked/p154

QA signs off the Silverlight 5.0 to 5.1.10410.0 live block.
Adobe Flash 10.2.* and lower
https://addons.mozilla.org/en-US/firefox/blocked/p160

This covers all the blocks we decided to push for now. Please file separate bugs for other blocks.
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
(In reply to Jorge Villalobos [:jorgev] from comment #47)
> Pushed to production (all Windows-only):
>  
> Adobe Reader 9.5.1 and lower
> https://addons.mozilla.org/en-US/firefox/blocked/p156

QA signs off the Adobe Reader 9.5.1 and lower live block.
(In reply to Jorge Villalobos [:jorgev] from comment #47)
> Pushed to production (all Windows-only):
> 
> Adobe Reader 10.0 to 10.1.3
> https://addons.mozilla.org/en-US/firefox/blocked/p158

QA signs off the Adobe Reader 10.0 to 10.1.3 live block.
(In reply to Jorge Villalobos [:jorgev] from comment #51)
> Adobe Flash 10.2.* and lower
> https://addons.mozilla.org/en-US/firefox/blocked/p160

This block does not appear to be working as expected after being pushed live. Adobe Flash 10.1.85.3 and 10.2.159.1 are showing an info-bar block in Firefox 17 (not a CTP block). When testing on staging I got a CTP block for both. I'm not sure why this would be broken by the live push.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I just removed the old block on staging. After looking at the live block, I realized that it was meant for Windows and Mac OS, so on prod I modified the existing block to remove the Windows bits. It looks like it hasn't updated yet.
I tried saving the old block again to see if that kicks the cache into action. If that doesn't work, I'll remove and push the old block again, without the Windows bits so that it doesn't overlap with the new one.
Seems to be working properly now. I'll finish up the testing.
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
(In reply to Jorge Villalobos [:jorgev] from comment #51)
> Adobe Flash 10.2.* and lower
> https://addons.mozilla.org/en-US/firefox/blocked/p160

QA signs off the Adobe Flash 10.2.* and lower live block. With that, all staged blocks are now signed off and live. To reiterate, the following plugins are CTP blocked in Firefox 17:

* Adobe Flash <= 10.2.*
* Adobe Reader <= 10.1.3
* Microsoft Silverlight <= 5.1.10410.0
Status: RESOLVED → VERIFIED
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #54)
> (In reply to Jorge Villalobos [:jorgev] from comment #51)
> > Adobe Flash 10.2.* and lower
> > https://addons.mozilla.org/en-US/firefox/blocked/p160
> 
> This block does not appear to be working as expected after being pushed
> live. Adobe Flash 10.1.85.3 and 10.2.159.1 are showing an info-bar block in
> Firefox 17 (not a CTP block). When testing on staging I got a CTP block for
> both. I'm not sure why this would be broken by the live push.

I can still reproduce this on FF 17 with Flash 10.1.85.3 and 10.2.152.26
Please forget about the comment 59.
It looks like Java was never added to the block - are we still doing this, or is there some information we need?
No, it was never added. Please file a new bug for it.

It's also worth noting that these blocks generated an unexpectedly high amount of traffic on the plugin check page, so we should wait some time before adding more big plugin blocks.
(In reply to Jorge Villalobos [:jorgev] from comment #62)
> It's also worth noting that these blocks generated an unexpectedly high
> amount of traffic on the plugin check page

No kidding - did you guys check the user agents of the high traffic? Because I for one am still using FF 3.6 (spare me the preaching), and since you tinkered with this blocklist.xml (I dont fully understand why or what these new features should do), I got this plugin page every day. Deleting the blocklist didnt help; updating all the plugins didnt help. The only thing that did help was setting the file to read only after manually removing the severity="0" entries...
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #58)
> the following plugins are CTP blocked in Firefox 17:
> * Adobe Flash <= 10.2.*
> * Adobe Reader <= 10.1.3
> * Microsoft Silverlight <= 5.1.10410.0

It seems that Silverlight 4.1.1039.0 is not blocked. Unfortunately I couldn't find the installation kit to re-test. Silverlight 4.0.60531.0 and 5.0.61118 are properly blocked.
http://www.microsoft.com/getsilverlight/locale/en-us/html/Microsoft%20Silverlight%20Release%20History.htm#SL_4_1_10329
Indeed, the only reliable source of Silverlight archives I can find is http://www.oldapps.com/silverlight.php and 4.1.1039.0 is not listed. Paul, please file a follow-up bug to investigate that particular Silverlight version. We are all done with this bug so any newly identified issues should be filed in separate bugs.
(In reply to Dominik Friedrichs from comment #63)
> No kidding - did you guys check the user agents of the high traffic? Because
> I for one am still using FF 3.6 (spare me the preaching), and since you
> tinkered with this blocklist.xml (I dont fully understand why or what these
> new features should do), I got this plugin page every day.

That is bug 802189, which we discovered after these blocks were deployed. We're still looking into it, because the plugin check page should be opened only once.
The IT staff is unable to do the update to the plugin. When they try to run as administrator the icon disappears or, if they get into the process, it doesn't allow them to login to their system which enables them to run programs.  I am not allowed to do any updates myself. Is there a way around this because I really don't want to use IE again!!! Thank you.
Chris Mildner cmildner@lhs.org
If this is about the recent Java block (bug 829111), all current versions are blocked, so there's no new version to update to in order to avoid the block. The type of block allows anyone to enable the plugin per-site, though.
(In reply to Jorge Villalobos [:jorgev] from comment #4)
> Adobe Reader 10.0 to 10.1.3
> https://addons-dev.allizom.org/en-US/firefox/blocked/p145

(In reply to Jorge Villalobos [:jorgev] from comment #68)
> If this is about the recent Java block (bug 829111), all current versions
> are blocked, so there's no new version to update to in order to avoid the
> block. The type of block allows anyone to enable the plugin per-site, though.
See Also: → 853629
Attached file [spam] (obsolete) (deleted) —
NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed: 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: 
Fix Landed on Version:
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch: 

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

[Approval Request Comment]
Regression caused by (bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky):

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:
The content of attachment 728519 [details] has been deleted for the following reason:

File has nothing to do with this bug.
(In reply to Jorge Villalobos [:jorgev] from comment #41)
> So, do you want me to remove the previous block? That should fix the problem.

For I want you to remove the previous block to the process of modernization and thank you for your cooperation
Please disable and update
Please update and save changes
Please read the Bugzilla Etiquette page before posting: https://bugzilla.mozilla.org/page.cgi?id=etiquette.html
(In reply to chrismildner from comment #67)
> The IT staff is unable to do the update to the plugin. When they try to run
> as administrator the icon disappears or, if they get into the process, it
> doesn't allow them to login to their system which enables them to run
> programs.  I am not allowed to do any updates myself. Is there a way around
> this because I really don't want to use IE again!!! Thank you.
> Chris Mildner cmildner@lhs.org

whats wrong with using ie it works fine with me
no slowness nor drag for me.
well did i pass the test
thanks
 Извините  меня очень давно интересует вопрос :  ПОЧЕМУ  я  ОБЯЗАН  переходить на версию продукта КОТОРАЯ МНЕ НЕ НРАВИТСЯ !!!
          Мне не нужна обновлённая версия !!!
 Зачем мне её впихивают , даже при попытке отослать  отзыв !
         Моя ( та что стоит у меня сейчас)  УСТОЙЧИВЕЕ !   Я пробовал почти все ваши обновлённые версии  ( попутно пробовал и другие браузеры ))  ,   и ВСЕГДА возвращался к старой, НАДЁЖНОЙ  версии Мазилы !
             Да и сейчас  я ВЫНУЖДЕННО  здесь зарегистрировался ,  ВЫ ЗАЧЕМ ТО ЗАПРЕТИЛИ ПЛАГИН  Адоба Акробат  ...
              Вы нехорошие люди ( мягко говоря !!!! ) :  НАСИЛЬНО  заставляете переходить на "новые" уродливые версии,  а тем кто не хочет этого  вы портите жизнь !         С какого фига вы посчитали что этот плагин влияет на безопасность(((((((         У себя на компьютере Я САМ  присмотрю за безопасностью !!
          КАК ВКЛЮЧИТЬ  снова плагин адоба акробат  ?!?
(In reply to Валентин from comment #79)

Google translate indicates you are wondering how to re-enable the Acrobat plug-in. There are two ways: either update to a version which is not vulnerable or manually whitelist it. More info can be found here:
http://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins
save change and update
save changes 797378 & update plugin
save change and updater
I THINK IT IS HELPFUL
79738
Attached file AcroRd32.exe (obsolete) (deleted) —
Flags: needinfo?
Flags: needinfo?
good
Attached file firefox.exe (obsolete) (deleted) —
The content of attachment 8348341 [details] has been deleted for the following reason:

suspect attachment
The content of attachment 8463454 [details] has been deleted for the following reason:

suspect attachment
i hate this fvkin ****
[Tracking Requested - why for this release]:
i like
(In reply to Jorge Villalobos [:jorgev] from comment #5)
> Silverlight below 4.1.10329.0
> https://addons-dev.allizom.org/en-US/firefox/blocked/p147

(In reply to pssingh560 from comment #94)
> i like
[Tracking Requested - why for this release]:
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.