Last Comment Bug 806543 - Block malicious 'pink' add-ons
: Block malicious 'pink' add-ons
Status: RESOLVED FIXED
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
: Anthony Hughes (:ashughes) [GFX][QA][Mentor]
Mentors:
Depends on: 806534
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-29 13:54 PDT by Jorge Villalobos [:jorgev]
Modified: 2016-03-07 15:30 PST (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
List of ids following this pattern (613 bytes, text/plain)
2012-10-29 13:54 PDT, Jorge Villalobos [:jorgev]
no flags Details
Test extension (2.62 KB, application/x-xpinstall)
2012-11-27 13:27 PST, Jorge Villalobos [:jorgev]
no flags Details

Description Jorge Villalobos [:jorgev] 2012-10-29 13:54:00 PDT
Created attachment 676294 [details]
List of ids following this pattern

While investigating bug 806451, I noticed another pattern in the IDs, that pointed me to a series of add-ons that have ids starting with 'pink' and ending in '.info'. At least one of them has been blocked before (https://addons.mozilla.org/en-US/firefox/blocked/i84). We should block all of them.
Comment 1 Jorge Villalobos [:jorgev] 2012-11-27 13:27:55 PST
Created attachment 685808 [details]
Test extension

This block is now staged:
https://addons-dev.allizom.org/en-US/firefox/blocked/i217

We need to test it on Nightly in order to verify the fix for bug 806534.

I'm attaching an XPI that should be blocked by this. It's not a real sample because we don't have any XPI other than the one on bug 743484, but that one is already blocked.
Comment 2 Jorge Villalobos [:jorgev] 2012-11-27 13:28:56 PST
We need QA to verify this hardblock on staging. It needs to be tested on Nightly, using the test extension attached.
Comment 3 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-27 13:41:33 PST
After pinging staging, my blocklist.xml file contains:

<emItem blockID="i217" id="/^pink@.*\.info$/i">
  <versionRange minVersion="0" maxVersion="*" severity="3"></versionRange>
</emItem>

However, I'm not seeing any dialogs warning me about the extension and it remains enabled in the Add-ons Manager.
Comment 4 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-27 13:43:47 PST
I see the following in about:support:

[Pink Add-on | 1.0 | true | pink@plugin-tema-rosa.info]
Comment 5 Jorge Villalobos [:jorgev] 2012-11-27 14:14:18 PST
This was pushed today, so it'll have to wait for the next Nightly release (tomorrow, I presume). Sorry for that.
Comment 6 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-28 17:17:26 PST
Tested using Firefox Nightly 20.0a1 2012-11-28
* Pinging blocklist before add-on install blocks the installation of the Pink add-on
* Pinging blocklist after add-on install displays the hardblock UI and disables the Pink add-on
* Add-ons Manager does not give an option to re-enable the add-on

This looks good to me.
Comment 7 Alex Keybl [:akeybl] 2012-12-07 11:47:58 PST
Can we roll this out with a minimum version of FF19 today (since bug 806534 will be in Aurora tomorrow), and then FF18 and up next week?
Comment 8 Jorge Villalobos [:jorgev] 2012-12-07 13:49:55 PST
Blocked in production, Firefox 19.0a1 and above:

https://addons.mozilla.org/en-US/firefox/blocked/i238
Comment 9 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-10 16:26:01 PST
Trying to test this with Firefox Nightly 19.0a1 20121109030635 and this does not appear to be working; Pink add-on remains enabled.

Aftering pinging the production blocklist I have the following in my blocklist.xml:
<emItem blockID="i238" id="/^pink@.*\.info$/">
  <versionRange minVersion="0" maxVersion="*" severity="3">
    <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
    <versionRange minVersion="19.0a1" maxVersion="*"/></targetApplication>
  </versionRange>
</emItem>
 
However, the add-on remains unblocked after using the browser for 15 minutes. If I start Firefox 20.0a1 2012-12-10 with the same profile the add-on is blocked due to "security or stability issues".
Comment 10 Jorge Villalobos [:jorgev] 2012-12-10 17:15:08 PST
This was pushed to mozilla-central on 2012-11-27, so you would need to test on a nightly version newer than that. I think we want to test the Aurora version, though, so 19.0a2 will do.
Comment 11 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-10 19:09:55 PST
Okay, I guess I was confused by the "19.0a1" in the blocklist.xml file. I confirm that 19.0a2 and 20.0a1 both block the Pink add-on attached to this bug using the production blocklist.
Comment 12 Jorge Villalobos [:jorgev] 2012-12-11 15:00:16 PST
This has been updated in production to cover Firefox 18.0 and up. Please give it at least an hour before testing.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-12 15:25:56 PST
This is not working with 18.0b3, should it?

From blocklist.xml:
<emItem blockID="i238" id="/^pink@.*\.info$/">
  <versionRange minVersion="0" maxVersion="*" severity="3">
    <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}">
      <versionRange minVersion="18.0" maxVersion="*"/>
    </targetApplication>
  </versionRange>
</emItem>
Comment 14 Jorge Villalobos [:jorgev] 2012-12-12 17:54:54 PST
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #13)
> This is not working with 18.0b3, should it?

I thought that the UA for Beta was already the final one, 18.0 without any beta additions like b3. What is the UA string for b3?
Comment 15 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-13 10:32:10 PST
User Agent from about:support:
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Comment 16 Jorge Villalobos [:jorgev] 2012-12-13 17:32:28 PST
Tested on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:18.0) Gecko/20100101 Firefox/18.0 and works as expected. Can you verify, please?
Comment 17 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-14 11:38:34 PST
(In reply to Jorge Villalobos [:jorgev] from comment #16)
> Tested on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:18.0)
> Gecko/20100101 Firefox/18.0 and works as expected. Can you verify, please?

Specifically, which version of Firefox 18 is this? (ie. which Beta)
Comment 18 Jorge Villalobos [:jorgev] 2012-12-17 08:19:30 PST
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #17)
> (In reply to Jorge Villalobos [:jorgev] from comment #16)
> > Tested on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:18.0)
> > Gecko/20100101 Firefox/18.0 and works as expected. Can you verify, please?
> 
> Specifically, which version of Firefox 18 is this? (ie. which Beta)

It should be the latest beta (don't know the number). I just checked for updates and there were none.
Comment 19 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-17 16:11:54 PST
So this is works now with 18.0b4. 
* blocklist ping before add-on install blocks installing the add-on
* blocklist ping after add-on install triggers a hardblock

However it does not seem to work with 18.0b3. Shouldn't this block be working for all Firefox 18 builds?
Comment 20 Jorge Villalobos [:jorgev] 2012-12-18 06:57:00 PST
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #19)
> However it does not seem to work with 18.0b3. Shouldn't this block be
> working for all Firefox 18 builds?

The fix for bug 806534 was uplifted to beta on December 10th, and 18.0b3 was built on December 5th, so your observations are correct and match expectations.
Comment 21 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-18 11:12:05 PST
Okay, thanks Jorge. Given that I think we can call this fixed.
Comment 22 Jorge Villalobos [:jorgev] 2012-12-18 13:01:12 PST
Thanks, Anthony. We need one more verification, on ESR 17. Since we don't want the prod block to cover anything below 18, this needs to be tested with the staged block:

https://addons-dev.allizom.org/en-US/firefox/blocked/i237

However, I think there's no published version of the ESR with this patch. Alex, can you confirm this and tell Anthony which branch to use for testing?
Comment 23 Alex Keybl [:akeybl] 2012-12-19 11:56:50 PST
(In reply to Jorge Villalobos [:jorgev] from comment #22)
> Thanks, Anthony. We need one more verification, on ESR 17. Since we don't
> want the prod block to cover anything below 18, this needs to be tested with
> the staged block:
> 
> https://addons-dev.allizom.org/en-US/firefox/blocked/i237
> 
> However, I think there's no published version of the ESR with this patch.
> Alex, can you confirm this and tell Anthony which branch to use for testing?

Anthony grabs the nightlies of ESR17 to test, so this shouldn't be an issue.
Comment 24 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-12-19 14:52:45 PST
Firefox 17.0.1esrpre 2012-12-19 accepts the staged block, in that the Pink add-on is hardblocked following a blocklist ping to staging.
Comment 25 Jorge Villalobos [:jorgev] 2013-01-10 09:45:16 PST
Firefox 18 was released, so we can call this fixed with the block on prod.

Note You need to log in before you can comment on or make changes to this bug.