Closed Bug 839453 Opened 12 years ago Closed 12 years ago

Blocklist/Click-to-Play Adobe Flash Player 11.5.502.146 (Mac, Windows), 11.2.202.261 (Linux)

Categories

(Toolkit :: Blocklist Policy Requests, defect, P1)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: freddy, Unassigned)

References

(
URL
)

Details

(Keywords: sec-critical)

There is a new Adobe Flash update out there, so I suppose we might want to blocklist the old version. According to the bug report some interesting reporters appear, which alludes that this vulnerability has already been exploited in the wild for high-profile attacks (see news article linked in URL field). Request: Block these versions of Adobe Flash Player: 11.5.502.146 (Mac, Windows) 11.2.202.261 (Linux) and in case we have this feature in fennec, please include: 11.1.115.36 (Android 4.x) 11.1.111.31 (Android 3.x and 2.x.)
If anything, we'd need to also block all older versions than those, as those are also vulnerable. That said, I think we are not yet ready for wide-ranged blocklisting of all older Flash versions - but the decision is up to release drivers.
I thought we already blocked all but the most recent version of Flash. Looks like I was wrong and this is still a roadmap item on the horizon.
Yes, that's a roadmap item for the future, in our plans probably not happening before Firefox 22, IIRC (same for the plan of CTP-blocking all non-Flash plugins).
I recommend WONTFIX on this particular bug, because we're tracking "CtP blocklist of all insecure versions of Flash" in other bugs and we aren't going to fix this outside of that schedule.
Fine with me. Sorry for the confusion :)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
(In reply to Benjamin Smedberg [:bsmedberg] from comment #4) > I recommend WONTFIX on this particular bug, because we're tracking "CtP > blocklist of all insecure versions of Flash" in other bugs and we aren't > going to fix this outside of that schedule. Wait, what? There are active exploits for 11.5--reported when this was filed, confirmed later by Adobe in http://www.adobe.com/support/security/bulletins/apsb13-08.html --and we WONTFIX this? Note "The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser" so it's kind of personal. Now Flash 11.7 has been released and fixes "critical" security bugs. Update priority "1" on Windows according to Adobe but so far no known public exploits. We should AT LEAST block 11.5
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
(In reply to Daniel Veditz [:dveditz] from comment #6) > Now Flash 11.7 has been released and fixes "critical" security bugs. Update > priority "1" on Windows according to Adobe but so far no known public > exploits. We should AT LEAST block 11.5 We're currently CTP'd up to 11.2, and are planning on cautiously moving forward with 11.3/11.4 soon, with 11.5 following. If you'd like us to consider changing that plan, please email security-group. It's not clear to me how this exploit is any different from previous Flash exploits (which were outweighed by the previously poor user experience).
We're sticking to the plan, as far as Flash blocks go. If you want to change the plan, this should be discussed in the security and release lists, as Alex pointed out.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.