Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Plugin block request: Foxit Reader Plugin 2.2.1.530 and below due to critical vulnerability

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
--
critical
RESOLVED FIXED
5 years ago
a year ago

People

(Reporter: philipp, Assigned: jorgev)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [plugin], URL)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
according to reports the foxit pdf browser plugin is affected by a highly critical vulnerability which can be exploited to inject malicious code:
www.h-online.com/security/news/item/Current-Foxit-Reader-can-execute-malicious-code-1780636.html

please consider blocking it up to the latest plugin version 2.2.1.530 in order to protect users...

Comment 1

5 years ago
philipp, you should have used the link in https://wiki.mozilla.org/Blocklisting#How_to_request_a_block

Version 2.2.1.530 is the current version.

Plugin name: Foxit Reader Plugin
Plugin versions to block: 2.2.1.530 and below
Applications, versions, and platforms affected: Windows
Block severity: (hard/soft)

How does this plugin appear in about:plugins?
    File: npFoxitReaderPlugin.dll
    Version: 2.2.1.530
    Description: Foxit Reader Plug-In For Firefox and Netscape

Homepage and other references and contact info: http://www.foxitsoftware.com/Secure_PDF_Reader/

Reasons: http://secunia.com/advisories/51733/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86_64 → x86
Summary: blocklist npFoxitReaderPlugin.dll due to critical vulnerability → Plugin block request: Foxit Reader Plugin 2.2.1.530 and below due to critical vulnerability
Whiteboard: [plugin]
(Assignee)

Comment 2

5 years ago
Staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p263

It is currently staged as a CTP block, but I'm not sure if this is the right UX to provide in this case. I don't know if the PDF download will be triggered, or if the CTP UI will appear. If it doesn't, maybe we should go for a softblock.
Assignee: nobody → jorge
Status: NEW → ASSIGNED
Keywords: qawanted
QA Contact: anthony.s.hughes
The desired UI is the CTP block. I believe it should work, but QA should verify before we push this live.

Updated

5 years ago
QA Contact: anthony.s.hughes → jbecerra
I've tested this on staging. The block is CTP. When I try to open a PDF file I get the page showing the lego piece and the message saying the plugin has vulnerabilities. About:addons shows the plugin as enabled, but it shows the message that it is known to be vulnerable and to use with caution. If I click through it I can see the document.

We can move to production when you are ready.
Created attachment 701896 [details]
CTP Foxit Reader Plugin

Updated

5 years ago
Keywords: qawanted

Comment 6

5 years ago
Let's give people on the security-group@mozilla.org mailing list an hour or two to respond with any last minute issues, and then move this to production.
(Assignee)

Comment 7

5 years ago
The block is now live: https://addons.mozilla.org/en-US/firefox/blocked/p250
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
This has been verified on production.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.