Closed
Bug 812896
Opened 12 years ago
Closed 12 years ago
Softblock Java versions affected by CVE-2012-5076
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: jorgev)
Details
(Keywords: qawanted, sec-critical, sec-vector)
In October Oracle released a critical security update fixing several issues, including CVE-2012-5076 (see http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html). This bug affects Java 7u7 and below, though the Java 6 branch seems to be unaffected. Recently, an exploit for this bug was found in the Cool exploit pack: http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html Furthermore, the exploit was added to the Metasploit framework now. It is already planned that the affected versions are CTP in Firefox 17 and higher, but now that the exploit is public, we should also block them in Firefox 16 and below to protect our users from drive-by malware infections.
Comment 1•12 years ago
|
||
These are now on staging (addons-dev.allizom.org): <pluginItem blockID="p209"> <match name="name" exp="Java\(TM\) Plug-in 1\.7\.0(_0?([5-7]))?([^\d\._]|$)" /> <match name="filename" exp="libnpjp2\.so" /> <versionRange severity="1"> <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"> <versionRange minVersion="0.1" maxVersion="16.*" /> </targetApplication> </versionRange> </pluginItem> <pluginItem blockID="p211"> <match name="filename" exp="JavaAppletPlugin\.plugin" /> <versionRange minVersion="Java 7 Update 05" maxVersion="Java 7 Update 07" severity="1"> <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"> <versionRange minVersion="0.1" maxVersion="16.*" /> </targetApplication> </versionRange> </pluginItem> <pluginItem blockID="p213"> <match name="name" exp="Java\(TM\) Platform SE 7 U[5-7](\s[^\d\._U]|$)" /> <match name="filename" exp="npjp2\.dll" /> <versionRange severity="1"> <targetApplication id="{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"> <versionRange minVersion="0.1" maxVersion="16.*" /> </targetApplication> </versionRange> </pluginItem>
Comment 2•12 years ago
|
||
note i will inform oracle about our plans (this bug)
Comment 3•12 years ago
|
||
Due to bug 811375 (which will prevent the Java CTP block from being functional at FF17 launch), we'll actually need this block to cover Firefox 17 as well. Apologies for the churn, this is news to us as well.
Updated•12 years ago
|
Summary: Softblock Java versions affected by CVE-2012-5076 in Firefox 16 and below → Softblock Java versions affected by CVE-2012-5076
Comment 4•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #3) > Due to bug 811375 (which will prevent the Java CTP block from being > functional at FF17 launch), we'll actually need this block to cover Firefox > 17 as well. Apologies for the churn, this is news to us as well. We'll actually track the bug preventing us from using Java CTP in FF17 in bug 812927.
Comment 5•12 years ago
|
||
Updated staging to work up to 17.*
Updated•12 years ago
|
QA Contact: anthony.s.hughes
We encountered several issues in testing this staged block. None of which were problems with the block itself but did affect our ability to test the block. In many cases, we found old Java versions to be disabled on first run. * Java 7u5 on all platforms * Java 7u6 on Windows and Mac * Java 7u7 on Windows In these cases, we could enable the plugin in Add-ons Manager and test the staged block. Juan encountered conflicting issues with OSX 10.8 testing. As with above, he saw the Java versions being disabled on first-run. However, on one machine he was not able to get Java content to load at all (even after enabling Java or updating to 7u9). On another machine, he kept being prompted to install Java SE 6 when loading Java content. Firefox whenever I try to load an applet. Juan, feel free to elaborate further. Reference: https://wiki.mozilla.org/User:Ashughes/Test_Plans/CVE-2012-5076
Comment 7•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #6) > We encountered several issues in testing this staged block. None of which > were problems with the block itself but did affect our ability to test the > block. > > In many cases, we found old Java versions to be disabled on first run. > * Java 7u5 on all platforms > * Java 7u6 on Windows and Mac > * Java 7u7 on Windows > In these cases, we could enable the plugin in Add-ons Manager and test the > staged block. jorgev - can you confirm that we're not running into any pre-existing blocks here? bsmedberg - could anything other than blocks be causing these Java versions to start disabled?
Assignee: nobody → jorge
Assignee | ||
Comment 8•12 years ago
|
||
Java 7, update 6 and below are already softblocked both in staging and prod: https://addons.mozilla.org/en-US/firefox/blocked/p138 https://addons.mozilla.org/en-US/firefox/blocked/p134 https://addons.mozilla.org/en-US/firefox/blocked/p132 So, it sounds like what we need to do is limit these existing blocks so that they only apply up to 17.*, and add similar blocks for update 7 only.
Assignee | ||
Comment 9•12 years ago
|
||
The blocks are now staged. The following existing blocks for Java are now restricted to 17.* and below: 138, 134, 132, 125, 123, 119. These were introduced in bug 780717, bug 794247 and their dependencies. I modified the blocks from comment #1 so that they only apply to Java 7 update 7, in order to avoid any overlap. QA, please verify so we can apply this on prod.
Keywords: qawanted
Comment 10•12 years ago
|
||
Here are the results of my testing. * Java 7u7 in Firefox 17.0 was click-to-play blocked * Java 7u7 in Firefox 16.0.2 was softblocked * Java 7u7 in Firefox 16.0 was softblocked Is this expected?
Assignee | ||
Comment 11•12 years ago
|
||
Yes, that's the expected behavior for anything in the Java 7 branch. They should not be blocked on 18 and above.
Comment 12•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #10) > Here are the results of my testing. > * Java 7u7 in Firefox 17.0 was click-to-play blocked > * Java 7u7 in Firefox 16.0.2 was softblocked > * Java 7u7 in Firefox 16.0 was softblocked > > Is this expected? J7u7 shouldn't be softblocked and not CTP blocked in FF 17 ?
Assignee | ||
Comment 13•12 years ago
|
||
You're right. I hadn't made the changes from bug 812936 on staging, so the previous CTP blocks still applied to Firefox 17. I fixed this now.
Comment 14•12 years ago
|
||
I am now seeing a softblock for Java 7u7 in Firefox 17. This can be pushed live in my opinion.
Assignee | ||
Comment 15•12 years ago
|
||
The following blocks now only apply to 17.* and lower: https://addons.mozilla.org/en-US/firefox/blocked/p138 https://addons.mozilla.org/en-US/firefox/blocked/p134 https://addons.mozilla.org/en-US/firefox/blocked/p132 https://addons.mozilla.org/en-US/firefox/blocked/p125 https://addons.mozilla.org/en-US/firefox/blocked/p123 https://addons.mozilla.org/en-US/firefox/blocked/p119 And I added the following blocks for Java 7 U 7, also applying only to 17.* and lower: https://addons.mozilla.org/en-US/firefox/blocked/p210 Java Plugin 1.7u7 (Linux) https://addons.mozilla.org/en-US/firefox/blocked/p212 Java Plugin 1.7u7 (Mac OS X) https://addons.mozilla.org/en-US/firefox/blocked/p214 Java Plugin 1.7u7 (Windows)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 16•12 years ago
|
||
I also published this in the Add-ons Blog: https://blog.mozilla.org/addons/2012/11/22/java-7-update-7-blocked/
Comment 17•12 years ago
|
||
Results of testing the live block with Firefox 17.0, 16.0, 16.0.1, and 16.0.2 on Windows 7, OSX 10.7, and Ubuntu 12.04: * Java 7u7 was softblocked on ping * Java 7u4 was hardblocked on firstrun * Java 7u3 was hardblocked on firstrun * Java 6u32 was hardblocked on firstrun * Java 6u31 was hardblocked on firstrun Marking this bug verified fixed. Please reopen if the hardblocks are unexpected.
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 18•12 years ago
|
||
The hardblocks are definitely unexpected. Looking at blocklist.xml, I see the severity set to 1, which is the correct value for a softblock. Can you please check again?
Comment 19•12 years ago
|
||
I just spotchecked this again on a completely new Windows 7 install with Java 7u4 and it is disabled on firstrun in the Addons Manager (before doing any blocklist pings). Here is what I see in my blocklist.xml: <pluginItem blockID="p119"> <match name="name" exp="Java\(TM\) Plug-in 1\.(6\.0_(\d|[0-2]\d?|3[0-2])|7\.0(_0?([1-4]))?)([^\d\._]|$)"/> <match name="filename" exp="libnpjp2\.so"/> <versionRange severity="1"/> </pluginItem> <pluginItem blockID="p125"> <match name="name" exp="Java\(TM\) Platform SE ((6( U(\d|([0-2]\d)|3[0-2]))?)|(7(\sU[0-4])?))(\s[^\d\._U]|$)"/> <match name="filename" exp="npjp2\.dll"/> <versionRange severity="1"/> </pluginItem> Here is what shows in my Add-ons Manager: Java(TM) Platform SE 7 U4 10.4.0.20 (disabled) Next Generation Java Plug-in 10.4.0 for Mozilla browsers
Assignee | ||
Comment 20•12 years ago
|
||
It could be a bug in the way the Add-ons Manager handles the default blocklist. Those blocks have the right severity, but for reason they are behaving as hardblocks. Adding the AOM people for comment.
Comment 21•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #19) > I just spotchecked this again on a completely new Windows 7 install with > Java 7u4 and it is disabled on firstrun in the Addons Manager (before doing > any blocklist pings). If the plugin is disabled and can be enabled, it doesn't mean is softblocked ? That's the behavior I see on FF 17.
Comment 22•12 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #17) > Results of testing the live block with Firefox 17.0, 16.0, 16.0.1, and > 16.0.2 on Windows 7, OSX 10.7, and Ubuntu 12.04: > * Java 7u7 was softblocked on ping Before the ping, j7u7 is CTP blocked. Where is this block coming from ?
Assignee | ||
Comment 23•12 years ago
|
||
(In reply to Paul Silaghi [QA] from comment #21) > (In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #19) > > I just spotchecked this again on a completely new Windows 7 install with > > Java 7u4 and it is disabled on firstrun in the Addons Manager (before doing > > any blocklist pings). > > If the plugin is disabled and can be enabled, it doesn't mean is softblocked > ? > That's the behavior I see on FF 17. Yes. If that's what you see, then that is correct. I'm marking this as fixed again then. (In reply to Paul Silaghi [QA] from comment #22) > (In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #17) > > Results of testing the live block with Firefox 17.0, 16.0, 16.0.1, and > > 16.0.2 on Windows 7, OSX 10.7, and Ubuntu 12.04: > > * Java 7u7 was softblocked on ping > > Before the ping, j7u7 is CTP blocked. Where is this block coming from ? IIRC, Firefox includes the latest version of the blocklist before it was built, so that it at least has a relatively current version to apply before the first blocklist download.
Assignee | ||
Updated•12 years ago
|
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Comment 24•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #23) > IIRC, Firefox includes the latest version of the blocklist before it was > built, so that it at least has a relatively current version to apply before > the first blocklist download. Correct. Glad this got sorted :)
Comment 25•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #23) > > Before the ping, j7u7 is CTP blocked. Where is this block coming from ? > > IIRC, Firefox includes the latest version of the blocklist before it was > built, so that it at least has a relatively current version to apply before > the first blocklist download. Don't know the solution, but it would be nice to have one. Our users will be confused by the CTP, until the ping is made. BTW, how long will take until the ping arrives? I see it in about 5-10 minutes in FF 17.
Assignee | ||
Comment 26•12 years ago
|
||
If you force the ping, it should happen almost immediately. Without forcing the ping, it can take up to 24 hours. I think we'll have to live with this when it comes to changing the behavior of existing blocks.
Comment 27•12 years ago
|
||
(In reply to Jorge Villalobos [:jorgev] from comment #26) > If you force the ping, it should happen almost immediately. Without forcing > the ping, it can take up to 24 hours. I think we'll have to live with this > when it comes to changing the behavior of existing blocks. FWIW, filed bug 815809, which will address the new-install case of this.
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•