Closed Bug 828982 Opened 11 years ago Closed 11 years ago

Plugin block request: Foxit Reader Plugin 2.2.1.530 and below due to critical vulnerability

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: philipp, Assigned: jorgev)

References

(
URL
)

Details

(Whiteboard: [plugin])

Attachments

(1 file)

CTP Foxit Reader Plugin
86.74 KB, image/png
Details 
according to reports the foxit pdf browser plugin is affected by a highly critical vulnerability which can be exploited to inject malicious code:
www.h-online.com/security/news/item/Current-Foxit-Reader-can-execute-malicious-code-1780636.html

please consider blocking it up to the latest plugin version 2.2.1.530 in order to protect users...
philipp, you should have used the link in https://wiki.mozilla.org/Blocklisting#How_to_request_a_block

Version 2.2.1.530 is the current version.

Plugin name: Foxit Reader Plugin
Plugin versions to block: 2.2.1.530 and below
Applications, versions, and platforms affected: Windows
Block severity: (hard/soft)

How does this plugin appear in about:plugins?
    File: npFoxitReaderPlugin.dll
    Version: 2.2.1.530
    Description: Foxit Reader Plug-In For Firefox and Netscape

Homepage and other references and contact info: http://www.foxitsoftware.com/Secure_PDF_Reader/

Reasons: http://secunia.com/advisories/51733/
URL: http://secunia.com/advisories/51733/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86_64 → x86
Summary: blocklist npFoxitReaderPlugin.dll due to critical vulnerability → Plugin block request: Foxit Reader Plugin 2.2.1.530 and below due to critical vulnerability
Whiteboard: [plugin]
Staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p263

It is currently staged as a CTP block, but I'm not sure if this is the right UX to provide in this case. I don't know if the PDF download will be triggered, or if the CTP UI will appear. If it doesn't, maybe we should go for a softblock.
Assignee: nobody → jorge
Status: NEW → ASSIGNED
Keywords: qawanted
QA Contact: anthony.s.hughes
The desired UI is the CTP block. I believe it should work, but QA should verify before we push this live.
QA Contact: anthony.s.hughes → jbecerra
I've tested this on staging. The block is CTP. When I try to open a PDF file I get the page showing the lego piece and the message saying the plugin has vulnerabilities. About:addons shows the plugin as enabled, but it shows the message that it is known to be vulnerable and to use with caution. If I click through it I can see the document.

We can move to production when you are ready.
Keywords: qawanted
Let's give people on the security-group@mozilla.org mailing list an hour or two to respond with any last minute issues, and then move this to production.
The block is now live: https://addons.mozilla.org/en-US/firefox/blocked/p250
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
This has been verified on production.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: