Closed
Bug 1193001
Opened 9 years ago
Closed 9 years ago
Blocklist Flash 13.x after EOL (august 11, 2015)
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
FIXED
44.1
People
(Reporter: dveditz, Assigned: jorgev)
Details
Adobe announced in May that the Adobe Flash extended support version will be transitioned from 13.x to 18.x on August 11, 2015. http://blogs.adobe.com/flashplayer/2015/05/upcoming-changes-to-flash-players-extended-support-release-2.html At some point after that the next flash exploits in the wild will not receive fixes on the 13.x branch and we will have to remove the blocklisting exception for that branch. I don't know of any such exploits, preparing.
Reporter | ||
Comment 1•9 years ago
|
||
The Flash 13.x branch has been unsupported and with known vulns since Aug 11, and additional vulns were published today (see bug 1206889). We need to mark this as "vulnerable" now, or at the very least out-of-date click to play. The current ESR is 18.0.0.241
Severity: normal → major
Flags: needinfo?(jorge)
Summary: Be prepared to blocklist Flash 13.x after EOL (august 11, 2015) → Blocklist Flash 13.x after EOL (august 11, 2015)
Assignee | ||
Comment 2•9 years ago
|
||
The block for the 13.* branch is now staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p780 Kamil, please give it a look. In terms of timing, this isn't urgent and I don't expect it to be deployed today (maybe tomorrow).
Flags: needinfo?(jorge) → needinfo?(kjozwiak)
Comment 3•9 years ago
|
||
Win 10 x64 (VM): ================ File: NPSWF32_13_0_0_309.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_309.dll Version: 13.0.0.309 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-24-03-02-31-mozilla-central/ File: NPSWF32_18_0_0_241.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_241.dll Version: 18.0.0.241 State: Enabled Shockwave Flash 18.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/ Win 8.1 x64 (VM): ================= File: NPSWF32_13_0_0_309.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_309.dll Version: 13.0.0.309 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-25-00-40-22-mozilla-aurora/ File: NPSWF32_18_0_0_241.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_241.dll Version: 18.0.0.241 State: Enabled Shockwave Flash 18.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/ OSX 10.10.5 x64: ================ File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 13.0.0.309 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/nightly/2015-09-24-03-02-31-mozilla-central/ File: Flash Player.plugin Path: /Library/Internet Plug-Ins/Flash Player.plugin Version: 18.0.0.241 State: Enabled Shockwave Flash 18.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/ Potential Issues: ================= File: NPSWF32_13_0_0_302.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_302.dll Version: 13.0.0.302 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/releases/41.0/ -> Link: https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p944 File: NPSWF32_13_0_0_296.dll Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_296.dll Version: 13.0.0.296 State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE) Shockwave Flash 13.0 r0 -> Build: https://archive.mozilla.org/pub/firefox/candidates/42.0b1-candidates/build1/ -> Link: https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940 Once I installed the above flash versions, they were automatically blocked without pinging the staging server which is expected. However they both pointed to older URLS (p944 & p940). Should both of those flash versions point to the new p780 link as per comment # 2?
Flags: needinfo?(kjozwiak) → needinfo?(jorge)
Assignee | ||
Comment 4•9 years ago
|
||
p944 and p940 are in the production blocklist, not the staging one. It's possible that there's some stale data in your profile that points to the old blocks. Doesn't sound like a big problem anyway, though we should double-check once the blocks are pushed live.
Flags: needinfo?(jorge)
Assignee | ||
Comment 5•9 years ago
|
||
The block is now live. Please test and check that the blocklist URL is correct. https://addons.mozilla.org/blocked/p1020
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 44.1
Comment 6•9 years ago
|
||
So it appears like the only version of flash that's currently pointing to p1020 is flash 13.0.0.309. All the other 13.* versions are pointing to other URL's. I tried force pinging the server several times to see if the URL would change, but they all stayed the same. I think all the 13.* should be pointing to the p1020 URL? Jorge, is that the case? OS's Used: - Win 10 x64 (VM) - OSX 10.10.5 x64 Results: ======= * flash 13.0.0.292 (checked using the latest fx44) ** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p928 ** Blocklist state for Shockwave Flash changed from 4 to 4 * flash 13.0.0.296 (checked with the latest fx41) ** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p940 ** Blocklist state for Shockwave Flash changed from 4 to 4 * flash 13.0.0.302 (checked with the latest fx42b1) ** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p944 ** Blocklist state for Shockwave Flash changed from 4 to 4 * flash 13.0.0.309 (checked with the latest fx43) ** https://blocklist.addons.mozilla.org/en-US/firefox/blocked/p1020 ** Blocklist state for Shockwave Flash changed from 0 to 4 * flash 18.0.0.241 (checked with the latest fx44) ** not being blocked as expected
Flags: needinfo?(jorge)
Assignee | ||
Comment 7•9 years ago
|
||
No, it depends in the order in which the blocks are evaluated. There are older blocks in the 13.* branch that could apply before the one introduced in this bug. I could remove the redundant ones, but that might cause more confusion. As long as all versions are blocked, it should be okay.
Flags: needinfo?(jorge)
Comment 8•9 years ago
|
||
Looks like we're good :)
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•