ATTN SUMO contributors, and especially Support Forum contributors:
We are about to completely disable Flash Player in Firefox because of Adobe’s advisory for a critical vulnerabilities (CVE-2015-5122 and CVE-2015-5123) in Adobe Flash Player 18.0.0.203 and earlier versions for Windows, Macintosh and Linux:
( https://helpx.adobe.com/security/products/flash-player/apsa15-04.html ). We will re-enable Flash in Firefox when we implement the fix Adobe is expected to release shortly.
Be prepared to address concerns on the support forums with regard to this change.
We understand not having Flash Player is a large inconvenience for many people. However, an even larger inconvenience would be to have your computer compromised or damaged and your personal information stolen or used against you.
What will stop working when we disable Flash Player?
All flash games and most videos on the web, including videos on sites like Facebook, Vimeo, YouTube (most YT videos will not be affected), and others.
What makes these vulnerabilities different from other vulnerabilities which warrants completely blocking Flash Player from Firefox?
These vulnerabilities are being actively used to spread malware all over the Internet, right now. Worst still, there is no update yet from Adobe which can prevent Flash Player from being used to spread Malware to a user's computer. However, we do expect Adobe to release an updated version of Flash in near future. Keep an eye on Adobe's Product Security Incident Response Team blog for more information: https://blogs.adobe.com/psirt/
A good general resource for support will be the KB article Why does Mozilla disable some add-ons from running in Firefox?, which explains why add-ons are blocked. However, there should be a blog post or statement up somewhere soon from Mozilla to address this specific issue.
'''ATTN SUMO contributors, and especially Support Forum contributors:'''
We are about to ''completely disable Flash Player'' in Firefox because of Adobe’s advisory for a critical vulnerabilities (CVE-2015-5122 and CVE-2015-5123) in Adobe Flash Player 18.0.0.203 and earlier versions for Windows, Macintosh and Linux:
( https://helpx.adobe.com/security/products/flash-player/apsa15-04.html ). We will re-enable Flash in Firefox when we implement the fix Adobe is expected to release shortly.
'''Be prepared to address concerns on the support forums with regard to this change.'''
We understand not having Flash Player is a large inconvenience for many people. However, an even larger inconvenience would be to have your computer compromised or damaged and your personal information stolen or used against you.
'''What will stop working when we disable Flash Player?'''
All flash games and most videos on the web, including videos on sites like Facebook, Vimeo, YouTube (most YT videos will not be affected), and others.
'''What makes these vulnerabilities different from other vulnerabilities which warrants completely blocking Flash Player from Firefox?'''
These vulnerabilities are being actively used to spread malware all over the Internet, right now. Worst still, there is no update yet from Adobe which can prevent Flash Player from being used to spread Malware to a user's computer. However, we do expect Adobe to release an updated version of Flash in near future. Keep an eye on Adobe's Product Security Incident Response Team blog for more information: https://blogs.adobe.com/psirt/
A good general resource for support will be the KB article [[Add-ons that cause stability or security issues are put on a blocklist]], which explains why add-ons are blocked. However, there should be a blog post or statement up somewhere soon from Mozilla to address this specific issue.
We are about to completely disable Flash Player in Firefox because of Adobe’s advisory for a critical vulnerabilities (CVE-2015-5122 and CVE-2015-5123) in Adobe Flash Player 18.0.0.203 and earlier versions for Windows, Macintosh and Linux
Related bug:
Bug 1182751 - (CVE-2015-5122) Blocklist vulnerable versions of Flash Player plugin (18.0.0.203 and lower)
''Mark Schmidt [[#post-65981|said]]''
<blockquote>
We are about to ''completely disable Flash Player'' in Firefox because of Adobe’s advisory for a critical vulnerabilities (CVE-2015-5122 and CVE-2015-5123) in Adobe Flash Player 18.0.0.203 and earlier versions for Windows, Macintosh and Linux
</blockquote>
Related bug:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1182751 Bug 1182751] - (CVE-2015-5122) Blocklist vulnerable versions of Flash Player plugin (18.0.0.203 and lower)
Wouldn't this be a "click-to-play" block where we can link users to [[Why do I have to click to activate plugins?]] ?
The current Flash block is this one:
https://addons.mozilla.org/en-US/firefox/blocked/p938 ''Flash Player Plugin 18.0.0.194 to 18.0.0.202 (click-to-play) has been blocked for your protection'' ([https://bugzilla.mozilla.org/show_bug.cgi?id=1181458 bug 1181458])
the comment at https://bugzilla.mozilla.org/show_bug.cgi?id=1182751#c8 verifying the staged blocklist seems to indicate that you can make site specific exceptions though...
Thanks for the Heads Up.
I have not followed this in detail. Looks like it may not even be the last zero day exploit. Top websearch, news article saying
We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program. {[Third Hacking Team Flash Zero-Day Found
Krebs on Security - 31 mins ago ]}
If it is this vital to block surely there is an imminent public announcement. That is what we need to refer users to a search engine crawled, specific official public document. and why hold off on blocking because plugincheck is down, that is relatively unimportant.
By which I mean it would be good to have plugincheck confirm Flash is vulnerable even if the latest version, but if blocklisting is needed why wait for plugincheck to be updated to handle this. (Will it handle the load when everyone tries to check ? Anyhow, don't we try to direct users direct to Adobe's page instead in these situations)
Linking to a generic articleon blocklists is not going to help end users understand the situation.
Sound like the plans are a bit hazy.
I wonder if end users will be blaming Mozilla or Adobe for the inconvenience. I doubt they will blame the hackers.
July 13, 2015: Flash Player Plugin on Linux 11.2.202.481 (click-to-play)
July 13, 2015: Flash Player Plugin 18.0.0.203 (click-to-play)
July 13, 2015: Flash Player Plugin 13.0.0.302 (click-to-play)
but not yet updated on the computer.
'''Thanks for the Heads Up.'''
I have not followed this in detail. Looks like it may not even be the last zero day exploit. Top websearch, news article saying
<blockquote>We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program. {[Third Hacking Team Flash Zero-Day Found
[https://krebsonsecurity.com/2015/07/third-hacking-team-flash-zero-day-found/ Krebs on Security] - 31 mins ago ]}</blockquote>
If it is this vital to block surely there is an imminent '''public announcement'''. That is what we need to refer users to a search engine crawled, specific official public document. and why hold off on blocking because plugincheck is down, that is relatively unimportant.
By which I mean it would be good to have '''plugincheck''' confirm Flash is vulnerable even if the latest version, but if blocklisting is needed why wait for plugincheck to be updated to handle this. (Will it handle the load when everyone tries to check ? Anyhow, don't we try to direct users direct to Adobe's page instead in these situations)
Linking to a generic [[Add-ons that cause stability or security issues are put on a blocklist|article]]on blocklists is not going to help end users understand the situation.
'''Sound like the plans are a bit hazy.'''
I wonder if end users will be blaming Mozilla or Adobe for the inconvenience. I doubt they will blame the hackers.
Google Chrome is mentioned as affected in https://helpx.adobe.com/security/products/flash-player/apsa15-04.html so I take it this affects all FlashPlayer in all browsers ?
Do we know Chrome
& if appropriate ''' IE's plans ?'''
I suppose it is naive to expect Adobe will put a warning on its own about flash page, http://www.adobe.com/software/flash/about/ maybe linking to its own advisories.
--------
Bug now marked fixed & it is on the blocklist now
July 13, 2015: Flash Player Plugin on Linux 11.2.202.481 (click-to-play)
July 13, 2015: Flash Player Plugin 18.0.0.203 (click-to-play)
July 13, 2015: Flash Player Plugin 13.0.0.302 (click-to-play)
but not yet updated on the computer.
No public update has gone out yet. However, we do have people working on this. Also, we will be adding a small notice to plugin and flash related SUMO articles which explains the issue.
'''Update:'''
All current versions of flash are now on the live blocklist. https://addons.mozilla.org/en-US/firefox/blocked/
https://www.mozilla.org/en-US/plugincheck/ is back up and running, and displaying a notice that all versions of flash are vulnerable.
No public update has gone out yet. However, we do have people working on this. Also, we will be adding a small notice to plugin and flash related SUMO articles which explains the issue.
But apparently there is no official blog post (or similar) from Adobe about these vulnerabilities being addressed in that update.
Moreover, it seems that the Linux plugin is still at the same version as before.
But apparently there is no official blog post (or similar) from Adobe about these vulnerabilities being addressed in that update.
Moreover, it seems that the Linux plugin is still at the same version as before.
I have not checked Linux yet, although Underpass suggests that is still problematic.
I did expect a softblock but it seems not to be ?!
With FP not updated the addons manager shows it as vulnerable and ask to activate. I did not capture options but Ask or Never activate are available.
However I did not get it to Activate. Instead invited to download FP from Adobe
RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Or does this indicate Adobe are still working on a proper full fix and the latest version is still vulnerable but will avoid our blocking ?
It would be of interest to know what IE & Chrome are doing that will help with answering Support questions.
I have not yet seen a proper and detailed listing of what is and is not affected.
Is 64bit FP safe
We do not seem to have blocked that.
If it is unsafe it is bad for any testers using Windows Firefox 64 bit.
If it is safe users may be encouraged to migrate to 64 bit clones of Firefox.
<!-- Not actually tried remming out [[Image...]] before on the forum. I don't think it works. Could have been a method of shortening the post-->
''Mark Schmidt [[#post-65984|said]]''
<blockquote>
Edit: The block will be soft/click-to-activate.
</blockquote>
This gets confusing.
I have not checked '''Linux''' yet, although Underpass suggests that is still problematic.
'''I did expect a softblock but it seems not to be ?!'''
With FP not updated the addons manager shows it as vulnerable and ask to activate. I did not capture options but Ask or Never activate are available. [[Image:blocks-fp]]
However I did not get it to Activate. Instead invited to download FP from Adobe <!-- [[Image:get-fp]] -->
The information link for Windows clearly states: <blockquote>What does this mean? <br /> The problematic add-on or plugin will be automatically disabled and '''no longer usable.''' {(my emphasis) https://addons.mozilla.org/en-US/firefox/blocked/p946 </blockquote>
<!-- [[Image:p946-fp]] {Full size see the link above or the [https://support.mozilla.org/en-US/gallery/image/22412 Gallery] ) -->
CVE-2015-5122
*'''Has it been confirmed as fixed ? '''
*Has it been published ? <br /> I do not find it with https://cve.mitre.org/cgi-bin/cvename.cgi?name=+CVE-2015-5122 <blockquote>Description
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. </blockquote>
Or does this indicate Adobe are still working on a proper full fix and the latest version is still vulnerable but will avoid our blocking ?
It would be of interest to know what IE & Chrome are doing that will help with answering Support questions.
I have not yet seen a proper and detailed listing of what is and is not affected.
'''Is 64bit FP safe'''
We do not seem to have blocked that.
If it is unsafe it is bad for any testers using Windows Firefox 64 bit.
If it is safe users may be encouraged to migrate to 64 bit clones of Firefox.
[[Image:64bit-fp]]
[[Image:32bit-fp]]
Here's what the Flash block notice looks like when there is no Flash update available (a foxnews.com video):
You may need to reload the page before clicking on "Activate Adobe Flash" will work, so that you can allow the plugin. I thought that was mentioned in the Set Adobe Flash to "click to play" on Firefox article, but it isn't. EDIT: I just revised that article to add that information. The Why do I have to click to activate plugins? article DOES mention it, under the first screenshot where it says, If you click to activate and allow the plugin, the missing content will load normally (if it doesn't, reload the page and try again).
I always set Flash to "Ask to activate" in the Add-on manager so I get this issue often.
Here's what the Flash block notice looks like when there is no Flash update available (a foxnews.com video):
;[[Image:FlashBlock-NoUpdate]]
You may need to reload the page before clicking on "Activate Adobe Flash" will work, so that you can allow the plugin. I thought that was mentioned in the [[Set Adobe Flash to "click to play" on Firefox]] article, but it isn't. <sub>EDIT: I just revised that article to add that information.</sub> The [[Why do I have to click to activate plugins?]] article DOES mention it, under the first screenshot where it says, ''If you click to activate and allow the plugin, the missing content will load normally (if it doesn't, reload the page and try again).''
I always set Flash to "Ask to activate" in the Add-on manager so I get this issue often.
'''Edit''' Related discussion:
https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins/discuss/6169 Flash blocked, no update available ... and reload page to activate and allow
I updated to Flash Player 18.0.0.209 and PluginCheck shows its status as Up to Date. Adobe Flash videos play normally in Firefox 39 on Windows 7. With Shockwave Flash 18.0.0.209 set to "Always Activate" in the Add-ons manager Plugins tab, there is no prompt to activate Flash.
I updated to Flash Player 18.0.0.209 and [https://www.mozilla.org/en-US/plugincheck/ PluginCheck] shows its status as Up to Date. Adobe Flash videos play normally in Firefox 39 on Windows 7. With Shockwave Flash 18.0.0.209 set to "Always Activate" in the Add-ons manager Plugins tab, there is no prompt to activate Flash.
Time to remove [/kb/templateflashblocked Template:flashblocked] from the articles where it was added?
Documents that use "Template:flashblocked" as a template: https://support.mozilla.org/en-US/kb/templateflashblocked/links
and so I think we can revert all the articles back.
edit: Linux version has not been updated (yet), though.
Adobe has updates its bulletin
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
and so I think we can revert all the articles back.
edit: Linux version has not been updated (yet), though.
I have edits pending to remove the template from three articles (Mark has edits for the other three) .... then I saw your edited post that Linux isn't updated yet.
I'll leave it up to admin to edit the articles to keep the template {for linux} only, approve the revisions to these articles to remove the templates, or whatever.
P.S. philipp has an edit pending to the template to hide the content for windows and mac and make it show for linux only. See: /kb/templateflashblocked/history
''Underpass [[#post-66002|said]]''
<blockquote>
Adobe has updates its bulletin
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
and so I think we can revert all the articles back.
edit: Linux version has not been updated (yet), though.
</blockquote>
I have edits pending to remove the template from three articles (Mark has edits for the other three) .... then I saw your edited post that Linux isn't updated yet.
I'll leave it up to admin to edit the articles to keep the template {for linux} only, approve the revisions to [https://support.mozilla.org/en-US/kb/templateflashblocked/links these articles] to remove the templates, or whatever.
P.S. philipp has an edit pending to the template to hide the content for windows and mac and make it show for linux only. See: [/kb/templateflashblocked/history]
''philipp [[#post-66004|said]]''
<blockquote>
i've made an unreviewed edit to the template to limit it to linux
</blockquote>
I'll leave it up to admin to review your revision. See: [/kb/templateflashblocked/history]
EDIT: I see Joni approved it ;-)
John99: Thanks for checking win64. Since it's not officially out yet, that wasn't a big deal. But it will be soon. So we'll need to make sure we start blocking 64bit versions in the future, when applicable.
The blocklist has been updated to reflect the availability of an update to Flash Player. Users will be urged by FF to update, as soon they download a new copy of the blocklist (happens every 24 hours).
AliceWyman: Yes, remove Template:flashblocked! :)
John99: Thanks for checking win64. Since it's not officially out yet, that wasn't a big deal. But it will be soon. So we'll need to make sure we start blocking 64bit versions in the future, when applicable.
The blocklist has been updated to reflect the availability of an update to Flash Player. Users will be urged by FF to update, as soon they download a new copy of the blocklist (happens every 24 hours).
Mark,
I have not checked Linux yet. That could be an issue still per remarks from Underpass.
Do we know for certain CVE-2015-5122 has been addressed ?
Is it possible CVE-2015-5122 is not yet published because there are still FlashPlayer security issues that are not resolved ?
Mark,
I have not checked '''Linux''' yet. That could be an issue still per remarks from Underpass.
'''Do we know for certain [https://cve.mitre.org/cgi-bin/cvename.cgi?name=+CVE-2015-5122 CVE-2015-5122] has been addressed ?'''
Is it possible CVE-2015-5122 is not yet published because there are still FlashPlayer security issues that are not resolved ?
it states that CVE-2015-5122 has been addressed in this 18.0.0.209 update
''Underpass [[#post-66002|said]]''
<blockquote>
Adobe has updates its bulletin
https://helpx.adobe.com/security/products/flash-player/apsb15-18.html
</blockquote>
it states that CVE-2015-5122 has been addressed in this 18.0.0.209 update
[Affected] Adobe Flash Player 11.2.202.481 and earlier Linux <snip> Adobe will provide an update for Flash Player for Linux during the week of July 12. The update will be available by visiting the Adobe Flash Player Download Center. Please continue to monitor the PSIRT blog for updates.
So I suppose those on Linux are still locked out of FlashPlayer.
Maybe the template should have remained for Linux.
Thanks Philipp.
I note although the CVE listing is not updated yet the NVD [https://web.nvd.nist.gov/view/vuln/search-results?query=CVE-2015-5122&search_type=all&cves=on CVE-2015-5122] one is. Thats more reassuring.
The wording regarding Linux on Adobe's [https://helpx.adobe.com/security/products/flash-player/apsb15-18.html APSB15-18] <blockquote> [Affected] Adobe Flash Player 11.2.202.481 and earlier Linux <snip> Adobe will provide an update for Flash Player for Linux during the week of July 12. The update will be available by visiting the Adobe Flash Player Download Center. Please continue to monitor the PSIRT blog for updates. </blockquote>
So I suppose those on Linux are still locked out of FlashPlayer.
Maybe the template should have remained for Linux.
However I did not get it to Activate. Instead invited to download FP from Adobe
