Closed Bug 1084537 Opened 10 years ago Closed 9 years ago

Flash sometimes displayed as up to date whilst vulnerable, on Windows 7

Categories

(Plugin Check Graveyard :: Client, defect)

x86
Windows 7
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: espressive, Assigned: espressive)

Details

Attachments

(13 files)

Reported on IRC:

check 'plugin check' with Win7 x64 FF33 and flash 15.0.0.152
it's showing 152 as up to date (should be vulnerable)

database seems to be up to date.

checked from win8.1 and it shows vulnerable
checked from within palemoon on the same machine, it shows vulnerable
so maybe not a win7 thing :\
restarted ff33 in safemode and still showing as 'up to date'
Component: Whistler → Client
Assignee: nobody → schalk.neethling.bugs
Status: NEW → UNCONFIRMED
Ever confirmed: false
"Fx-33-LIVE-plugincheck-en-GB-at-2014-10-21_Flash_is_WRONG.png"

1 of 3

Schalk,

I've been away and offline.

When I returned, on 2014-10-15 in the evening, I did a plugincheck at

LIVE - in my GB case
https://www.mozilla.org/en-GB/plugincheck

Using Windows 7 (64 bit OS) with Fx 33.

As I hoped and expected: 

Adobe Flash Player 15.0.0.152
was correctly detected and reported as "vulnerable".

Carsten Book had done Bug 1083170 "October Flash updates" on
2014-10-15.  So, all was OK then on 2014-10-15.
I updated Flash to 15.0.0.189 (both Fx and IE 9).

After that, all three browsers Fx 33 and IE 9 (64bit and 32bit versions)
tested at plugincheck, correctly showed Flash 15.0.0.189 as "Up to Date".


Yesterday, 2014-10-21 I was updating a Laptop that I typically
only have access to once a week.

See attached screenshot
"Fx-33-LIVE-plugincheck-en-GB-at-2014-10-21_Flash_is_WRONG.png"

That Laptop also has Windows 7 (64 bit OS) with Fx 33.

This is WRONG.
The correct result should be "vulnerable".

Adobe's web site 
http://www.adobe.com/software/flash/about/
also showed that the Flash plugin was 15.0.0.152
(and that it was therefore vulnerable).

Since then, I updated Flash on that Laptop, to 15.0.0.189 (both Fx and IE 10).
After the update, both Fx 33 and IE 10 plugincheck reported 15.0.0.189
as "Up to Date" (as expected).


On 2014-10-21 I wondered if there was some very strange 'infrastructure' type
issue between Mozilla and the UK.

See bug 1059853
"Check for Add-on Updates via Add-ons Manager does NOT work,
reports "No updates found" when there are newer versions at AMO"

Once I had pointed out, in bug 1059853 and
then in bug 1058643 "Automatic updates broken for some add-ons",
the possible 'infrastructure' cause:
> So, maybe a 'database at AMO' is giving 'old results'?

Mathieu Agopian did find that (see bug 1058643 comment # 4)
> It seems some slave databases are out of sync, which could be causing
> the issue. Still investigating.

Once they were back in sync the issue, with Add-ons at AMO, was resolved.


I don't have the answer, but I am wondering if

the Firefox cache
"C:\Users\UserNameHere\AppData\Roaming\Mozilla\Firefox\Profiles\SALTzbqp.ProfileNameHere\cache2"

or
a cache / temp folder used as part of the plugin install
(see bug 1084700 "Firefox reports wrong plugin version in crash report")

or
a cache between the 'plugincheck Database' and the browser
might be using 'out of date data'.

I suspect the latter.


From bug 1020133 comment # 32
https://bug1020133.bugzilla.mozilla.org/attachment.cgi?id=8492688

you can see the 'output from the plugincheck Database'.

Using Release, Fx 33, this evening 2014-10-22
and going 'direct to the URL':

https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=32&appVersion=20140825202822&clientOS=Windows&chromeLocale=en-GB&detection=version_availablemimetype=application%2Fpdf+application%2Fvnd.adobe.pdfxml+application%2Fvnd.adobe.x-mars+application%2Fvnd.fdf+application%2Fvnd.adobe.xfdf+application%2Fvnd.adobe.xdp%2Bxml+application%2Fvnd.adobe.xfd%2Bxml&callback=C

I would EXPECT to get
information about Adobe Acrobat (AKA Adobe Reader) - because it is about that plugin,
from the plugincheck Database,
that was 'recent / current'.

However, all the records have
>        'fetched': '2014-10-01T12:45:31-07:00',
which is '3 weeks old'!!

Using the same method, but this time looking for the
"v2?appID={... " just above the Flash icon
I had this URL:

https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=33&appVersion=20141011015303&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C


>        'fetched': '2014-10-13T01:21:57-07:00',

So, this is more recent BUT it is BEFORE I saw 
Adobe Flash Player 15.0.0.152
was correctly detected and reported as "vulnerable" (on 2014-10-15).

DJ-Leith

continued ...
"Plugincheck-Fx-33-Flash-with-line-numbers-2014-10-22.txt"

2 of 3

> 0008  */
>       *** Twenty lines added here
>       ***  URL:  https://www.mozilla.org/en-GB/plugincheck/ LIVE (for GB)  Date: 2014-10-22
>       ***  Browser: Fx 33 Release
>       ***  with ALL plugins enumerated - "plugins.enumerable_names" set to "*"
>       ***    Tools, Web Developer, Network  - look for "v2?appID={... "
>       ***    Try the 'one above the Flash logo'
>       ***    then choose "Headers", "Edit and Resend", click in the URL,
>       ***    <Ctrl>+<a> (to select all), Copy.
>       ***    Open a new Tab, and paste the URL.
>         https://plugins.mozilla.org/pfs/v2?appID= .... <snip> 
>       ***    Select the 'result' <Ctrl>+<a> (to select all),
>       ***    Copy and Paste into Scratchpad, "Pretty Print".
>       ***    Add line numbers and then these twenty unnumbered lines. 
>       ***    These match the Scratchpad line numbers (1433 lines).

I will discuss this in the next comment.

DJ-Leith
3 of 3

"Plugincheck-Fx-33-Flash-with-line-numbers-2014-10-22.txt"
was attached at comment # 2
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8509899


Looking at the output from the plugincheck Database
as seen this evening, 2014-10-22,
using Fx 33 (Release) at

LIVE - in my GB case
https://www.mozilla.org/en-GB/plugincheck/


Observations:

> 0037   'releases': {
> 0038     'latest': [
> 0039       {
> 0040         'id': '4',
> 0041         'pfs_id': 'adobe-flash-player',
> 0042         'name': 'Adobe Flash Player',
> 0043         'vendor': 'Adobe',
> 0044         'url': 'http://www.adobe.com/go/getflashplayer',
> 0045         'icon_url': 
'http://www.adobe.com/macromedia/style_guide/logos/flash_enabled/images/flash_enabled_logo_horizont_s.jpg',
> 0046         'license_url': 'http://www.adobe.com/go/eula_flashplayer',
> 0047         'modified': '2014-09-10T16:16:49+00:00',
> 0048         'created': '2014-09-10T16:16:49+00:00',
> 0049         'plugin_id': '1',
> 0050         'os_id': '3',
> 0051         'platform_id': '4',
> 0052         'status': 'latest',
> 0053         'version': '15.0.0.152',
> 0054         'detected_version': '15.0.0.152',
> 0055         'detection_type': '*',
> 0056         'os_name': 'win',
> 0057         'app_id': '*',
> 0058         'app_release': '*',
> 0059         'app_version': '*',
> 0060         'locale': '*',
> 0061         'fetched': '2014-10-13T01:21:57-07:00',
> 0062         'relevance': 3
> 0063       },

A.
While this is apparently the latest, it is NOT, it is version "15.0.0.152".
> 0038     'latest': [
it is declared as "latest",
has a status of "latest",
is in the 'section for "latest" ',

> 0052         'status': 'latest',
> 0053         'version': '15.0.0.152',
> 0054         'detected_version': '15.0.0.152',

and it was "fetched" *before* 2014-10-15.
> 0061         'fetched': '2014-10-13T01:21:57-07:00',


B.
These dates are plausible for adding "15.0.0.152" to the database:
> 0047         'modified': '2014-09-10T16:16:49+00:00',
> 0048         'created': '2014-09-10T16:16:49+00:00',

See
http://helpx.adobe.com/security/products/flash-player/apsb14-21.html


C. next is an 'older plugin', in the "others" section;
these WILL be declared, by the website, as "vulnerable".
> 0115     'others': [
> 0116       {
> 0117         'id': '4',
> 0118         'pfs_id': 'adobe-flash-player',
> 0119         'name': 'Adobe Flash Player',
> 0120         'vendor': 'Adobe',
> 0121         'url': 'http://www.adobe.com/go/getflashplayer',
> 0122         'icon_url': 
'http://www.adobe.com/macromedia/style_guide/logos/flash_enabled/images/flash_enabled_logo_horizont_s.jpg',
> 0123         'license_url': 'http://www.adobe.com/go/eula_flashplayer',
> 0124         'modified': '2014-09-10T16:16:49+00:00',
> 0125         'created': '2014-08-13T02:32:14+00:00',
> 0126         'plugin_id': '1',
> 0127         'os_id': '3',
> 0128         'platform_id': '4',
> 0129         'status': 'vulnerable',
> 0130         'vulnerability_description': 'These updates address vulnerabilities 
that could potentially allow an attacker to take control of the affected system.',
> 0131         'vulnerability_url': 
'http://helpx.adobe.com/security/products/flash-player/apsb14-21.html',
> 0132         'version': '14.0.0.179',
> 0133         'detected_version': '14.0.0.179',
> 0134         'detection_type': '*',
> 0135         'os_name': 'win',
> 0136         'app_id': '*',
> 0137         'app_release': '*',
> 0138         'app_version': '*',
> 0139         'locale': '*',
> 0140         'fetched': '2014-10-13T01:21:57-07:00',
> 0141         'relevance': 3
> 0142       },

See
http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
where 14.0.0.176 (IE) and 14.0.0.179 (Windows Firefox) were to replace 14.0.0.145.

> 0125         'created': '2014-08-13T02:32:14+00:00',

Later (in September), when 15.0.0.152 was added, 14.0.0.179 was "modified":
> 0124         'modified': '2014-09-10T16:16:49+00:00',
> 0125         'created': '2014-08-13T02:32:14+00:00',



NOTE:
All the 
> 0140         'fetched': '2014-10-13T01:21:57-07:00',
are BEFORE bug 1083170

From comment # 1
> Carsten Book had done Bug 1083170 "October Flash updates" on
> 2014-10-15.  So, all was OK then on 2014-10-15.


I think that the database has been 'reverted'.
Has a backup has been restored?

What process is 'fetching from the plugincheck Database'?

Why is nothing being "fetched" after 2014-10-13???
> 0061         'fetched': '2014-10-13T01:21:57-07:00',
> 0140         'fetched': '2014-10-13T01:21:57-07:00',
> 1427         'fetched': '2014-10-13T01:21:57-07:00',

I, and others, seem to be seeing 'out of date data'.

As a result, although the 15.0.0.189 was added to the Database
on 2014-10-15, some 'visitors to plugincheck' are still getting
the data that was fetched BEFORE 2014-10-15.

(from comment # 1)
> However, all the records have
> >        'fetched': '2014-10-01T12:45:31-07:00',
> which is '3 weeks old'!!

The data for Adobe Reader is even OLDER!



In the last few days there have been several Bugzilla bugs about
Flash 15.0.0.189


See

Bug 1083392 "Adobe Flash now 15.0.0.189 - plug in check database needs
updating [reported version is 15.0.0.152]" 

Bug 1087185 "Update plugincheck for flash player 15.0.0.189"


DJ-Leith
DJ-Leith, in comment # 1, wrote:

> Using the same method, but this time looking for the
> "v2?appID={... " just above the Flash icon
> I had this URL:
> 
> https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=33&appVersion=20141011015303&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C
> 
> 
>        'fetched': '2014-10-13T01:21:57-07:00',
> 
> So, this is more recent BUT it is BEFORE I saw 
> Adobe Flash Player 15.0.0.152
> was correctly detected and reported as "vulnerable" (on 2014-10-15).

I have repeated this step today 2014-11-06,
and used ScratchPad (as described above).

I STILL see
>        'fetched': '2014-10-13T01:21:57-07:00',

I think this means that 'plugincheck is using data, about Flash, that was
"fetched" on "2014-10-13T01:21:57-07:00" (the same Date and Time as before)'.

This is 'old data' and I think it explains WHY the 'plugincheck website thinks'
(very anthropomorphic) that Flash 15.0.0.152 is the "latest",
and so declares it "Up to Date".

DJ-Leith
In view of this bug, I decided to NOT update Flash on this computer,
so that I had a "vulnerable" version of Flash to test Plugincheck.

See bug 1097659 "Adobe update for Flash Player 15.0.0.223", where
Carsten Book [:Tomcat] on 2014-11-12 at 06:15:02 PST (bug 1097659 comment # 1)
> pushed to production

So the correct detection should be:

Adobe Flash Player 15.0.0.189 "vulnerable" and
Adobe Flash Player 15.0.0.223 "Up to Date".

The website (en-US), (en-GB) and (de) are still showing
Flash version "15.0.0.189" as "Up to Date" (or Aktuell in German).

https://www.mozilla.org/en-US/plugincheck/
https://www.mozilla.org/en-GB/plugincheck/
https://www.mozilla.org/de/plugincheck/
  The US and the DE pages correctly ask: "Would you like to see this page in your language?"
  I am in GB [user_pref("general.useragent.locale" "en-GB"); i.e. the default].

Tested with Fx 33.1 on 2014-11-11 (before 1097659 was opened)
and again today 2014-11-12 AFTER bug 1097659 comment # 1.

Using another Fx 33.1, on a different profile, and using UA spoofing:

user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0)
Gecko/20100101 Firefox/31");

I do get "15.0.0.189" reported as "vulnerable" - CORRECT.
Spoofing the UA to Fx 35 I also get "15.0.0.189" reported as "vulnerable"
(with the WRONG result for Adobe Reader 11.0.9.29 - expected see bug 1020133).

I speculate that in these 'less common situations' that a new 'lookup of
the data' (as opposed to 'get from some cache') results in the CORRECT
result: 15.0.0.189 is reported as "vulnerable".


Meanwhile, the 'normal Fx 33.1 with no "general.useragent.override" UA spoof'
is still getting the WRONG result.  I have restarted this instance of Fx 33.1
several times.  I do NOT think the issue is in the Firefox Profile Cache
on my computer.

I again used the procedure outlined above:

The URL today was:
https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=33&appVersion=20141106120505&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C

This time the "fetched" is more recent.
>        'fetched': '2014-11-10T06:03:12-08:00'
However, this is BEFORE Carsten had pushed to production.

  See bug 1097659 "Adobe update for Flash Player 15.0.0.223", where
  Carsten Book [:Tomcat] on 2014-11-12 at 06:15:02 PST (bug 1097659 comment # 1)
  > pushed to production

To be clear.
I am getting both the correct result and the wrong result today.
The correct result is shown when I use Fx 33.1 with a UA overide.
I also see the correct result, for Flash, with Fx 35.0a2 (2014-11-12)
(Aurora AKA "Firefox Developer Edition").

The WRONG result, which I am still seeing, is on another instance of
Fx 33.1 which is being 'used normally'. 

So, I think the issue may be 'the Plugincheck Website' is not
collecting the 'most recent' data from the 'Plugincheck Database'.
Instead, it may be using 'cached data' in some situations.  

DJ-Leith
"Fx-33-1-do-Plugincheck-Network-Force-Reload-2014-11-14.png"

I will comment on this screenshot in comment # 7 [at Point 4 onwards] (see part next).

> 3. Once plugincheck has 'tested the plugins' and you have a 'report', open Network.
>       Tools, Web Developer, Network (Ctrl+Shift+Q)
>       I find it easier if this is a 'floating window', the URL will be in the 'Window Title'
>       "Network - https://www.mozilla.org/en-US/plugincheck/" in this example.
> 
> 4. Force a reload, use Ctrl+Shift+R to reload without cache.
> 
> 5. Look for lines that start "v2?appID={... "



Correction to comment # 1.

In this section, of comment # 1, I pasted the
"https://plugins.mozilla.org/pfs/v2?appID={e ... ..." URL incorrectly

> 
> From bug 1020133 comment # 32
> https://bug1020133.bugzilla.mozilla.org/attachment.cgi?id=8492688
> 
> you can see the 'output from the plugincheck Database'.
> 
> Using Release, Fx 33, this evening 2014-10-22
> and going 'direct to the URL':
> 
> https://plugins.mozilla.org/pfs/v2?appID={e ... ... <snip>
> 
> 
> I would EXPECT to get
> information about Adobe Acrobat (AKA Adobe Reader) - because it is about that plugin,
> from the plugincheck Database,
> that was 'recent / current'.
> 
> However, all the records have
> >        'fetched': '2014-10-01T12:45:31-07:00',
> which is '3 weeks old'!!


The correct URL is in
> https://bug1020133.bugzilla.mozilla.org/attachment.cgi?id=8492688
and it is long, and one has to take care when pasting it into Bugzilla.

https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=32&appVersion=20140825202822&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fpdf+application%2Fvnd.adobe.pdfxml+application%2Fvnd.adobe.x-mars+application%2Fvnd.fdf+application%2Fvnd.adobe.xfdf+application%2Fvnd.adobe.xdp%2Bxml+application%2Fvnd.adobe.xfd%2Bxml&callback=C

It is very similar to the 'Reader URL' pasted below, in comment # 7.

DJ-Leith
The issue continues.
Remember, I have deliberately not updated Flash on this computer and so I have still have
Adobe Flash Player Version "15.0.0.189".
I have also NOT updated the ActiveX Flash plugins for Internet Explorer.

Windows 7 64 bit OS.

The correct detection should be:

Adobe Flash Player 15.0.0.189 "vulnerable" and
Adobe Flash Player 15.0.0.223 "Up to Date".

On, 2014-11-13 and 2014-11-14, using Release Firefox Fx 33.1 at the 'normal for GB' Plugincheck:

https://www.mozilla.org/en-GB/plugincheck/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=plugincheck-update

As well as these 3, that I reported in comment # 5:

https://www.mozilla.org/en-US/plugincheck/
https://www.mozilla.org/en-GB/plugincheck/
https://www.mozilla.org/de/plugincheck/

All four plugincheck tests detect, correctly, that I have Flash 15.0.0.189
BUT all four tests say that this plugin is "Up to Date" - in ERROR.

At the same time, using
Fx 33.1, with UA spoof to either Fx 31 or Fx 35 - all 8 tests correctly report "vulnerable".

Fx 35.0a2 (2014-11-14) Aurora AKA "Firefox Developer Edition" also correctly reports "vulnerable".
Internet Explorer 9 (both 32 bit and 64 bit versions), also correctly report Flash as "vulnerable".


******
STR
******

It is quite difficult to document this or to produce an easy STR.

1. Start Firefox 33.1

2. Do a plugincheck (actual site may not matter) try 
      https://www.mozilla.org/en-US/plugincheck/

3. Once plugincheck has 'tested the plugins' and you have a 'report', open Network.
      Tools, Web Developer, Network (Ctrl+Shift+Q)
      I find it easier if this is a 'floating window', the URL will be in the 'Window Title'
      "Network - https://www.mozilla.org/en-US/plugincheck/" in this example.

      https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8522997
      See screenshot linked to comment # 6, URL just above.

4. Force a reload, use Ctrl+Shift+R to reload without cache.

5. Look for lines that start "v2?appID={... "

6. 'Click' the "v2?appID={... " to Select the 'row' you are interested in.
   Then choose "Headers", "Edit and Resend", click in the URL,
   <Ctrl>+<a> (to select all), Copy.

7. In Firefox, Open a new Tab, and paste the URL.

8. In the 'new Tab', Select the 'result' <Ctrl>+<a> (to select all),
   Copy and Paste into Scratchpad (Shift+F4).
   Paste at Line 9 of Scratchpad, then "Pretty Print".


An example, for Adobe Reader - with added line numbers, from bug 1020133 see:
https://bug1020133.bugzilla.mozilla.org/attachment.cgi?id=8492688
Date: 2014-09-20.


Two "v2?appID={... " URLs are informative for this bug: Flash
(and bug 1020133 comment # 76 onwards - Reader)

Flash

https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=33&appVersion=20141106120505&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C

Line 61 of the Scratchpad
>        'fetched': '2014-11-10T06:03:12-08:00'


Reader

https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=33&appVersion=20141106120505&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fpdf+application%2Fvnd.adobe.pdfxml+application%2Fvnd.adobe.x-mars+application%2Fvnd.fdf+application%2Fvnd.adobe.xfdf+application%2Fvnd.adobe.xdp%2Bxml+application%2Fvnd.adobe.xfd%2Bxml&callback=C


Line 47 of the Scratchpad
>          'fetched': '2014-11-13T15:52:15-08:00'



Note:

The "fetched" is the same date all the way through
Line 61, 86, 111, 140 etc all have
>        'fetched': '2014-11-10T06:03:12-08:00
for Flash.

In the 'Reader data', the 'fetched dates' are consistent as well (lines 47, 71 etc).

Each 'query for the specific plugin', Flash or Reader, has been fetched on a
DIFFERENT date.  Both, however, are 'old data'.

I believe the Plugin Finder Service (or part of it) is 'collecting data from
the Plugincheck Database' and this data is old. IT IS OUT OF DATE
but it is being used in the 'assessment' of the 'detected plugins'.

So, Flash is being 'tested against' the data that was
>        'fetched': '2014-11-10T06:03:12-08:00
and we have the WRONG result for Flash Version 15.0.0.189

Reader is being 'tested against' the data that was
>          'fetched': '2014-11-13T15:52:15-08:00'


In comment # 6 the Reader URL is similar
BUT NOT IDENTICAL and the result is that

Reader, on 2014-10-22, WAS being 'tested against' the data that was
>        'fetched': '2014-10-01T12:45:31-07:00'
which was '3 weeks old' at the time of that plugincheck test!


One difference between the URLs for Reader is

(from comment # 6)
> ... appVersion=20140825202822

(from comment # 7)
> ... appVersion=20141106120505

These "appVersion" version numbers look like Dates to me.


Schalk,

I am convinced that 'something' is 'fetching the data from the Plugincheck Database'.
I don't know what is producing these 'dynamic URLs' but it does appear
that these processes have in recent weeks and continue today to 'present old data'.

Why are we seeing 'old data'?
Could this data be produced 'fresh every 8 hours'? - that would be better than 'old data'.

Or, perhaps, every time the particular Plugin (e.g. Adobe Flash) was updated
in the Plugincheck Database - a new query could be made.
So, each time a plugin was declared "vulnerable" the relevant
'extract this data for use at the plugincheck web site' query was ALSO created. 


One more thought:

In the 'new plugincheck which uses the JSON list':
https://plugins.mozilla.org/en-us/plugins_list.json
which is 5,750 lines of data (including 8 lines of Scratchpad comment)
there are no "fetched" dates.

From bug 1020133 comment # 33
https://bug1020133.bugzilla.mozilla.org/attachment.cgi?id=8487601
In this example, from 2014-09-10, there are 5,428 lines in the 'JSON List'.

For debugging, it might be an idea to have a Date and Time that
the 'JSON List' was generated included in the JSON List, e.g. at the end.

Perhaps there should be a separate bug for 'add a generated time stamp' to the
JSON List?


DJ-Leith
Flags: needinfo?(schalk.neethling.bugs)
"Fx-33-1-1-do-Plugincheck-Network-Force-Reload-2014-11-15.png"

I'll describe this in comment # 10.

Fx 33.1 Plugincheck, (en-US), 2014-11-15, Flash "15.0.0.189" is now "vulnerable".
build=d1d3974

We now have the correct result!  I also get the correct result at en-GB.
This has taken 3 days to update!

DJ-Leith
"Flash-Plugincheck-en-US-Fx-33-1-1-BUG-1084537-c9-with-line-numbers-2014-11-15.txt"

> 0006   * 2. Inspect to bring up an Object Inspector on the result (Ctrl+I), or,
> 0007   * 3. Display to insert the result in a comment after the selection. (Ctrl+L)
> 0008   */
>     *** Inserted 20 lines here.
>     *** 
>     ***  URL:     https://www.mozilla.org/en-US/plugincheck/
>     ***  Browser: Fx 33.1.1 Release
>     ***    with ALL plugins enumerated - "plugins.enumerable_names" set to "*"
>     *** 
>     ***      Tools, Web Developer, Network  - look for "v2?appID={... "
>     ***      Hover to see "Flash", then Select, then choose "Headers", "Edit and Resend",
>     ***       click in the URL, <Ctrl>+<a> (to select all), Copy.
>     ***      Open a new Tab, and paste the URL.
>     ***    In this case URL is https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=33&appVersion=2014113143407&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C
>     *** 
>     ***      Select the 'result' <Ctrl>+<a> (to select all), Copy and Paste into Scratchpad, "Pretty Print".
>     *** 
>     ***      Add line numbers and these twenty lines. 
>     ***      These match the Scratchpad line numbers (1541 lines). 
>     *** 
>     ***    In this case, build=d1d3974
>     *** 
>     *** 
> 0009  C([{
> 0010    'aliases': {
> 0011      'regex': [
> 0012        '.*Flash.*',
> 0013        '.*Flash.*',


I'll describe this in comment # 10.

Fx 33.1 Plugincheck, (en-US), 2014-11-15, Flash "15.0.0.189" is now "vulnerable".
build=d1d3974

URL for Flash is:

https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=33&appVersion=20141113143407&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C

DJ-Leith
Fx 33.1 Plugincheck, (en-US), 2014-11-15, Flash "15.0.0.189" is now "vulnerable".
build=d1d3974

URL for Flash is:

https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=33&appVersion=20141113143407&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C

We now have the correct result!
I also get the correct result at en-GB.

It has taken 3 days!! since the Plugincheck Database was updated.

See bug 1097659 comment # 1
> Carsten Book [:Tomcat] 2014-11-12 06:15:02 PST
> pushed to production

******
Why is this taking so long?
******

First,
look at build=...

On 2014-11-13 and 2014-11-14 I think the build was "f3b2d77"
e.g. "tabzilla.js?build=f3b2d77"

Now,
see the "Fx-33-1-1-do-Plugincheck-Network-Force-Reload-2014-11-15.png"
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8523465
attached at comment # 8
the build is "d1d3974".

Second,
look at the data that 'was pulled from the Plugincheck Database',
when I did another Plugincheck today, 2014-11-15.

See
"Flash-Plugincheck-en-US-Fx-33-1-1-BUG-1084537-c9-with-line-numbers-2014-11-15.txt"
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8523466
attached at comment 9.

Notes:

> 0037    'releases': {
> 0038      'latest': [
> 0039        {
> 0040          'id': '4',
> 0041          'pfs_id': 'adobe-flash-player',
> 0042          'name': 'Adobe Flash Player',
> 0043          'vendor': 'Adobe',
> 0044          'url': 'http://www.adobe.com/go/getflashplayer',
> 0045          'icon_url': 
'http://www.adobe.com/macromedia/style_guide/logos/flash_enabled/images/flash_enabled_logo_horizont_s.jpg',
> 0046          'license_url': 'http://www.adobe.com/go/eula_flashplayer',
> 0047          'modified': '2014-11-12T22:14:51+00:00',
> 0048          'created': '2014-11-12T22:14:51+00:00',
> 0049          'plugin_id': '1',
> 0050          'os_id': '3',
> 0051          'platform_id': '4',
> 0052          'status': 'latest',
> 0053          'version': '15.0.0.223',
> 0054          'detected_version': '15.0.0.223',
> 0055          'detection_type': '*',
> 0056          'os_name': 'win',
> 0057          'app_id': '*',
> 0058          'app_release': '*',
> 0059          'app_version': '*',
> 0060          'locale': '*',
> 0061          'fetched': '2014-11-15T09:27:47-08:00',
> 0062          'relevance': 3
> 0063        },


A.  The "latest" is now "15.0.0.223" - correct.
> 0038      'latest': [

> 0053          'version': '15.0.0.223',

B.  This was added on "2014-11-12T22:14:51+00:00"
> 0047          'modified': '2014-11-12T22:14:51+00:00',
> 0048          'created': '2014-11-12T22:14:51+00:00',

as noted above in bug 1097659 comment # 1
> Carsten Book [:Tomcat] 2014-11-12 06:15:02 PST
> pushed to production
The Date and Time matches.

C.  This 'data was fetched from the Plugincheck Database' on "2014-11-15",
3 days later!!
> 0061          'fetched': '2014-11-15T09:27:47-08:00',


D.  The data is very plausible, in this next section we see "15.0.0.189"
being declared "vulnerable" in the Plugincheck Database.

> 0115      'others': [
> 0116        {
> 0117          'id': '4',
> 0118          'pfs_id': 'adobe-flash-player',
> 0119          'name': 'Adobe Flash Player',
> 0120          'vendor': 'Adobe',
> 0121          'url': 'http://www.adobe.com/go/getflashplayer',
> 0122          'icon_url': 
'http://www.adobe.com/macromedia/style_guide/logos/flash_enabled/images/flash_enabled_logo_horizont_s.jpg',
> 0123          'license_url': 'http://www.adobe.com/go/eula_flashplayer',
> 0124          'modified': '2014-11-12T22:14:51+00:00',
> 0125          'created': '2014-10-15T20:49:07+00:00',
> 0126          'plugin_id': '1',
> 0127          'os_id': '3',
> 0128          'platform_id': '4',
> 0129          'status': 'vulnerable',
> 0130          'vulnerability_description': 'vendor information',
> 0131          'vulnerability_url': 'http://helpx.adobe.com/security/products/flash-player/apsb14-24.html',
> 0132          'version': '15.0.0.189',
> 0133          'detected_version': '15.0.0.189',
> 0134          'detection_type': '*',
> 0135          'os_name': 'win',
> 0136          'app_id': '*',
> 0137          'app_release': '*',
> 0138          'app_version': '*',
> 0139          'locale': '*',
> 0140          'fetched': '2014-11-15T09:27:47-08:00',

D1. Added to the Database on "2014-10-15"
> 0125          'created': '2014-10-15T20:49:07+00:00',

D2. Declared "vulnerable" on "2014-11-12" when "15.0.0.223" was added
and so it is now in the "others" section.
> 0115      'others': [

> 0124          'modified': '2014-11-12T22:14:51+00:00',

D3. Data was again "fetched" today 2015-11-15 - 3 days AFTER the Database was Updated.
> 0140          'fetched': '2014-11-15T09:27:47-08:00',


Third,
the "appVersion" section of the URL to 'collect data about Flash':

(from comment # 7)
> appVersion=20141106120505

Line 61 of the Scratchpad
>        'fetched': '2014-11-10T06:03:12-08:00'

(from comment # 9)
> appVersion=20141113143407

Line 61 of the Scratchpad
> 0061          'fetched': '2014-11-15T09:27:47-08:00',

So, I speculate, that these dynamic URLs were 'generated'
on 2014-11-06 and 2014-11-13.
Why were they not *used* sooner??

Why did it take so long for the 'Plugincheck Website' to start to give
the 'correct answer' for Flash?


What matters is that, as we saw on 2014-11-14, the Plugincheck Website was
using 'old data' and was giving the WRONG result.

In comment # 7 DJ-Leith on 2014-11-14 at 07:55:06 PST  wrote:
> Each 'query for the specific plugin', Flash or Reader, has been fetched on a
> DIFFERENT date.  Both, however, are 'old data'.
> 
> I believe the Plugin Finder Service (or part of it) is 'collecting data from
> the Plugincheck Database' and this data is old. IT IS OUT OF DATE
> but it is being used in the 'assessment' of the 'detected plugins'.
> 
> So, Flash is being 'tested against' the data that was
> >        'fetched': '2014-11-10T06:03:12-08:00
> and we have the WRONG result for Flash Version 15.0.0.189
> 
> Reader is being 'tested against' the data that was
> >          'fetched': '2014-11-13T15:52:15-08:00'
> 
> 
> In comment # 6 the Reader URL is similar
> BUT NOT IDENTICAL and the result is that
> 
> Reader, on 2014-10-22, WAS being 'tested against' the data that was
> >        'fetched': '2014-10-01T12:45:31-07:00'
> which was '3 weeks old' at the time of that plugincheck test!

Schalk,
I hope there is now enough evidence to allow you and your infrastructure colleagues
to get to the bottom of this.

(from comment # 5)
> In view of this bug, I decided to NOT update Flash on this computer,
> so that I had a "vulnerable" version of Flash to test Plugincheck.

I will shortly update my Flash plugins, now that the Plugincheck Website
is giving the correct result.

DJ-Leith
Thanks for all of this information, I really appreciate it. I will keep my eyes peeled for this happening again. I did a big cleanup of the database today and production looks to be already updated.
Flags: needinfo?(schalk.neethling.bugs)
I am seeing this now. I have Windows 7, Firefox 34.0.5 (locale: Russian) and Shockware Flash 15.0.0.239, but 'plugin check' page says that it is up-to-date
https://www.mozilla.org/ru/plugincheck/

According to Adobe Security Bulletin (issued December 9, 2014) this version is vulnerable,
http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

It is vulnerable to CVE-2014-9163 which is being exploited in the wild. One needs to update to at least 15.0.0.246 and better to 16.0.0.235.

The check url is
https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=34&appVersion=20141126041045&clientOS=Windows&chromeLocale=ru-RU&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C

I will attach the response that I received.

Response has the following HTTP headers:
Cache-Control: max-age=3600
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/javascript
Date: Thu, 11 Dec 2014 16:18:34 GMT
Expires: Thu, 11 Dec 2014 9:18:34 GMT
Keep-Alive: timeout=5, max=1000
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
Vary: User-Agent, Accept-Encoding
Via: Moz-Cache-zlb12
X-Backend-Server: plugins1.webapp.phx1.mozilla.com
X-Cache-Info: cached
X-Frame-Options: DENY
X-Powered-By: PHP/5.3.3

The "Vary" header explains why you get a different response if you change your User-Agent string. The Expiry header being earlier than Date is odd.

(I did the same request 16 hours earlier, and I observed the following headers:
Date: Thu, 11 Dec 2014 00:34:38 GMT
Expires: Thu, 11 Dec 2014 17:34:37 GMT
Via: "Moz-Cache-zlb12"
X-Backend-Server: "plugins1.webapp.phx1.mozilla.com"
X-Cache-Info: "caching"

Here "Expires" was in the future. 17 hours is a lot... Why not 8?)
The times for the first entry are
        'modified': '2014-11-26T23:27:18+00:00',
        'created': '2014-11-26T23:27:18+00:00',
        'fetched': '2014-11-26T15:34:14-08:00',
For completeness, request headers that my browser sends (minus the Cookie values, I am censoring them here) when I explicitly request that /v2 URL:

Host: plugins.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: optimizelySegments=<...>; optimizelyEndUserId=<...>; optimizelyBuckets=<...>; __utma=<...>; __utmz=<...>; _ga=<...>; __utmc=<...>; __utmb=<...>; kohanasession=<...>; kohanasession_data=<...>
Connection: keep-alive
Cache-Control: max-age=0
FAO Carsten Book,
please can you review all of this bug.

On two recent occasions we have had a
'Flash version added to the Plugincheck Database';
and then we have seen some 'odd results'.

We have had the SAME plugin reported as
"Up to Date" and "vulnerable" on the same day! 


Konstantin,
your reports are valuable.

To my mind the key fact is
(from comment # 14 - data seen on 2014-12-11)
>         'fetched': '2014-11-26T15:34:14-08:00',

All the way through the 'data about Flash fetched from the Database'
(attached to comment # 13)
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8535066

we see
>         'fetched': '2014-11-26T15:34:14-08:00',

We do NOT see ANY reference to
Flash "16.0.0.235" which Schalk Neethling added to the 'Plugincheck Database'
in bug 1109488 comment # 1
at
2014-12-10 01:13:58 PST 

Again,
we are seeing 'old data that was fetched' BEFORE (more than 2 weeks BEFORE)
an update added new data to the Database!



I can report, using
https://www.mozilla.org/en-GB/plugincheck/

On 2014-12-10 I saw (again - I have done many tests)
Flash "15.0.0.223" reported as "vulnerable" - GOOD.

I have seen this since 2014-11-26 13:40 PST,
following Carsten Book adding "15.0.0.239" to the 'Plugincheck Database'.

See bug 1105307 comment # 1

Carsten Book [:Tomcat] on 2014-11-26 at 07:36:12 PST
> updated plugincheck database in production


(I said, in bug 1083392 comment # 7)
> https://bug1083392.bugzilla.mozilla.org/attachment.cgi?id=8532196
> Please see screenshot "Fx-34-Flash-15-0-0-223-CORRECT-2014-12-04.png".
> 
> Using Windows 7 64 bit OS, with Fx 34 (en-GB), on 2014-12-04,
> I have a CORRECT result for Flash 15.0.0.223 being reported as "vulnerable".

I had kept Flash "15.0.0.223" deliberatly to test the 'Plugincheck Website'.

On 2014-12-10 I updated Flash Player to "16.0.0.235" and I have had
it reported as "Up to Date" (on 2014-12-10 and again today 2014-12-11).

  I have kept my 'old Adobe Reader', "11.0.9.29", to test
  bug 1109858 "Adobe Reader (and Acrobat) for Windows and Macintosh - plugins
  vulnerable 2014-12-09 - APSB14-28"


FAO Carsten Book

Three points:

A. Did you see this comment?

(from bug 1101613 comment # 8)
>     In bug 1105307 (see below) 
>     Carsten Book said:
>     "plugincheck need to be updated as well. will take this bug"
>       Carsten, you said "as well": do you do 'two things' when there
>       is a 'new Flash Plugin'?
>         Is one of them 'Update the Plugincheck Database' and
>         ANOTHER something to do with the 'dynamic URLs'
> >        https://plugins.mozilla.org/pfs/v2?appID={...  ...
>         I referred to
>         in bug 1084537 and in bug 956905 comment # 149

When somebody adds an Adobe Flash plugin to the 'Plugincheck Database'
do they have to 'do something' to create the 'dynamic URLs'?


B. Please can you comment on this?
*** Are there ANY dependencies on PFS or PFS2? ***

(from bug 956905 comment # 149)
> The 'plugincheck using enumeration' was developed using 'ideas, infrastructure and
> code' from the "Plugin Finder Service" (and later PFS2).
> Are there ANY dependencies on PFS or PFS2?
> 
> I ask because:
> 
> A. We saw in
> bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"
> 
> that the "1A" method still relies on 'dynamic URLs' that include
> > https://plugins.mozilla.org/pfs/v2?appID={...  ...
> that 'fetch' data from the 'Plugincheck Database',
> DEPENDING on the 'detected by enumeration' plugin at the 'Plugincheck Website'.
> This data can be 'out of date', i.e. it was "fetched" BEFORE the recent
> update of the 'Plugincheck Database'.  There is more information in that bug.
> The point is, a WRONG Report was given because 'out of date data' was used
> to make the evaluation.
> 
> Does the 'creation of the dynamic URLs',
> or the use of these 'dynamic URLs' depend on
> ANY infrastructure or code that is 'being retired along with the PFS'?
>
> B. see bug 1071161 "Retire PFS web service"
(there is more in that comment).

C. Has anybody seen bug 1109858?
I will test the Adobe Reader plugin when the Database has been updated.

DJ-Leith
Flags: needinfo?(cbook)
Hi,

moving away from working on plugincheck (i guess espressive will be the number one contact in the future). 

For your points:

"When somebody adds an Adobe Flash plugin to the 'Plugincheck Database'
do they have to 'do something' to create the 'dynamic URLs'?"

no its just pasting data in some fields on a website like version number etc - so all backround stuff like dynamic url etc is done automatically, like when we update a plugin the one who update the data does no direct sql or something insert manually its all done via a gui -> database
Flags: needinfo?(cbook)
"Plugincheck-JSON-List-with-line-numbers-2014-12-12.txt"
I'll discuss this in comment # 20.

1 of 3
 

(In reply to Carsten Book [:Tomcat] from comment #17)
Thanks for the clarification Carsten.


Schalk,
Thanks for doing bug 1109858
"Adobe Reader (and Acrobat) for Windows and
Macintosh - plugins vulnerable 2014-12-09 - APSB14-28"

The issue still seems to be,
plugincheck using enumeration,
  i.e. Fx Release [Fx 34.0 and Fx 34.0.5] and (NOT the 'JSON List')
is using 'old data' to assess the visiting browser's plugins.
As the "fetched" data is old, the report is WRONG.

The 'JSON List' has better data (for Flash).


Bug 1109981 "Firefox 34.0.5 not detecting Flash needs updating"
is a possible Duplicate.

https://bug1109981.bugzilla.mozilla.org/attachment.cgi?id=8534749
Screenshot, by helloworldweb, on 2014-12-10 (from bug 1109981 comment # 0)

https://bug1109981.bugzilla.mozilla.org/attachment.cgi?id=8535433
"plugin-check-german-2014-12-12-7.43-GMT.PNG"
Screenshot, by Harald Fassler (from bug 1109981 comment # 2)

DJ-Leith

continued ...
"Fx-34-Flash-15-0-0-246-WRONG-Reader-11-0-9-29-WRONG-2014-12-12.png"

2 of 3

Fx 34, 2014-12-12, 19:10 GMT (2014-12-12, 11:10 PST)


Flash and Reader are WRONG.
Flash should be at version "16.0.0.235" for "Up to Date",
Added to the Plugincheck Database on 2014-12-10 at 01:13:58 PST in bug 1109488

Reader should be at version "11.0.10.xx" for "Up to Date", 
Added to the Plugincheck Database on 2014-12-12 at 00:39:33 PST in bug 1109858

DJ-Leith

continued ...
"Fx-36-using-JSON-List-Flash-15-0-0-246-correct-Reader-11-0-9-29-WRONG-2014-12-12.png"

3 of 3


Fx Aurora (AKA Firefox Development Edition) 36.0a2 (2014-12-12)
2014-12-12, 19:10 GMT (2014-12-12, 11:10 PST)
Same computer as comment # 19, same time.

Flash should be at version "16.0.0.235" for "Up to Date",
Added to the Plugincheck Database on 2014-12-10 at 01:13:58 PST in bug 1109488

Reader should be at version "11.0.10.xx" for "Up to Date", 
Added to the Plugincheck Database on 2014-12-12 at 00:39:33 PST in bug 1109858

Here we see that the 'JSON List' has data from the Plugincheck Database.

Note: the subtle missing "... Netscape 11.0.9", next to the Reader Logo.
This data came from the 'JSON List' (see bug 1105312).


***
Flash Player
***

https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8535934
The 'JSON List', at 2014-12-12, attached to comment # 18.

The 'JSON List' has Flash "16.0.0.235", so the Flash report is correct.

> 0675	        'win': {
> 0676	          'latest': [
> 0677	            {
> 0678	              'status': 'latest',
> 0679	              'version': '16.0.0.235',
> 0680	              'detected_version': '16.0.0.235',
> 0681	              'detection_type': '*',
> 0682	              'os_name': 'win',
> 0683	              'platform': {
> 0684	                'app_id': '*',
> 0685	                'app_release': '*',
> 0686	                'app_version': '*',
> 0687	                'locale': '*' 


"15.0.0.246", shown in the screenshot, is NOT in the 'JSON List'.
  I think it was offered automatically after "15.0.0.239", which was released 2014-11-25.
    Release date: November 25, 2014
    Vulnerability identifier: APSB14-26
    http://helpx.adobe.com/security/products/flash-player/apsb14-26.html

In the most recent Adobe Security Bulletin
Release date: December 9, 2014
Vulnerability identifier: APSB14-27
http://helpx.adobe.com/security/products/flash-player/apsb14-27.html

> Note: Users who have been updated to version 15.0.0.246 are not affected by CVE-2014-9163.
The exploit for CVE-2014-9163 exists in the wild.

There are OTHER reasons to update to "16.0.0.235".

Flash "15.0.0.239" is in the 'JSON List' (added to the Plugincheck Database in bug 1105307).

> 0752	              'status': 'vulnerable',
> 0753	              'vulnerability_description': 
'Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.  
These updates address vulnerabilities that could potentially allow an attacker to take control
of the affected system.',
> 0754	              'vulnerability_url':
'http://helpx.adobe.com/security/products/flash-player/apsb14-27.html',
> 0755	              'version': '15.0.0.239',
> 0756	              'detected_version': '15.0.0.239',
> 0757	              'detection_type': '*',
> 0758	              'os_name': 'win',
> 0759	              'platform': {
> 0760	                'app_id': '*',
> 0761	                'app_release': '*',
> 0762	                'app_version': '*',
> 0763	                'locale': '*'


***
Adobe Reader
***

The 'JSON List' has 'poor data' for Adobe Reader:


  Security Updates available for Adobe Reader and Acrobat
  Release date: December 9, 2014
  Vulnerability identifier: APSB14-28
  http://helpx.adobe.com/security/products/reader/apsb14-28.html
    Added to the Plugincheck Database on 2014-12-12 at 00:39:33 PST in bug 1109858


> 1696	    'adobe-reader': {
> 1697	      'display_name': 'Adobe Reader',
> 1698	      'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 1699	      'versions': {
> 1700	        'all': {
> 1701	          'latest': [
> 1702	            {
> 1703	              'status': 'latest',
> 1704	              'version': '10.1',
> 1705	              'detected_version': '10.1',
> 1706	              'detection_type': '*',
> 1707	              'os_name': '*',
> 1708	              'platform': {
> 1709	                'app_id': '*',
> 1710	                'app_release': '*',
> 1711	                'app_version': '*',
> 1712	                'locale': '*'
> 1713	              }
> 1714	            }
> 1715	          ],

Is there any "11.0.9" or "11.0.10"?

> 1764	        'win': {
> 1765	          'latest': [
> 1766	            {
> 1767	              'status': 'latest',
> 1768	              'version': '11.0.10',
> 1769	              'detected_version': '11.0.10',
> 1770	              'detection_type': '*',
> 1771	              'os_name': 'win',
> 1772	              'platform': {
> 1773	                'app_id': '*',
> 1774	                'app_release': '*',
> 1775	                'app_version': '*',
> 1776	                'locale': '*'
> 1777	              }
> 1778	            },


> 1806	          'vulnerable': [
> 1807	            {
> 1808	              'status': 'vulnerable',
> 1809	              'vulnerability_description': 
'These updates address vulnerabilities that could potentially 
allow an attacker to take over the affected system.',
> 1810	              'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 1811	              'version': '11.0.09',
> 1812	              'detected_version': '11.0.09',
> 1813	              'detection_type': '*',
> 1814	              'os_name': 'win',
> 1815	              'platform': {
> 1816	                'app_id': '*',
> 1817	                'app_release': '*',
> 1818	                'app_version': '*',
> 1819	                'locale': '*'

I wonder if part of the problem is
> 1811	              'version': '11.0.09',
> 1812	              'detected_version': '11.0.09',
We know, from bug 1020133, that the metadata that is the "File version" field,
of the actual plugin "nppdf32.dll", is "11.0.9.29" (NOT "11.0.09.xx").

See bug 1020133 comment # 62.

The screenshots attached to comment # 19 and comment # 20
both show "11.0.9.29".  The website is correctly reading the metadata from "nppdf32.dll".

The 'data transferred to the Plugincheck Website' from the 'Plugincheck Database',
by the 'JSON List', is not good enough to report (in this case) that
"11.0.9.29" is "vulnerable".

So, in conclusion:

A. The 'JSON List', if it has the correct data (like the Flash example),
is quicker at getting 'data to the Plugincheck Website'
(than the 'dynamic URLs' https://plugins.mozilla.org/pfs/v2?appID= ...).

Why the 'dynamic URLs' are NOT fetching RECENT data needs investigation.

B. Adobe's choice of "11.0.09" on their website but
"11.0.9.29" in the "File version" metadata in the actual plugin
has made it harder to get 'effective data' into the Plugincheck Database.

DJ-Leith
In bug 1109981 comment #1 it was said that

> The 'Plugincheck Database' was updated,
> by Schalk Neethling [:espressive] on 2014-12-10 at 01:13:58 PST.
> (see bug 1109488).

FYI, the plugin check page still lists my Shockwave Flash 15.0.0.239 as "Up-to-date".

The about:addons page successfully shows blocklist warning for this plugin (there are some glitches - bug 1109795 comment 34, but this feature is working).

Response headers for
https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=34&appVersion=20141126041045&clientOS=Windows&chromeLocale=ru-RU&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C
are

Cache-Control: max-age=3600
Connection: Keep-Alive
Content-Encoding: gzip
Content-Type: text/javascript
Date: Sat, 13 Dec 2014 18:22:58 GMT
Expires: Sat, 13 Dec 2014 11:22:58 GMT
Keep-Alive: timeout=5, max=974
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
Vary: User-Agent, Accept-Encoding
Via: Moz-Cache-zlb12
X-Backend-Server: plugins1.webapp.phx1.mozilla.com
X-Cache-Info: cached
X-Frame-Options: DENY
X-Powered-By: PHP/5.3.3

I did binary comparison (fc.exe /B) of old an new responses and they are 100% identical, so I am not re-uploading them. See comment 13 and comment 14 for the files.

As it was hinted in 1109795, detected plugin version is stored in pluginreg.dat file in profile. I listed my values in bug 1109795 comment 36.

I plan to update my installed flash version no later than Monday (24-48 hours from now), but I have an installer for 15.0.0.239 available, so maybe I will be able to test this even later that that date.
Hey everyone,

First off all thank you for all the feedback and your patience. I have stabbed out some time try and get behind this Flash issue. Can anyone/everyone please point their browsers to the dev instance here:

http://ossreleasefeed.github.io/Perfidies-of-the-Web/

and let me know whether the reporting for Flash works as expected now. Thank you very much for your assistance.
Oh, and this can/should be on any/all operating systems and browsers. Thanks!
Attached image screenshot.png
it's not working on win7/firefox 31 esr
(In reply to philipp from comment #24)
> Created attachment 8536430 [details]
> screenshot.png
> 
> it's not working on win7/firefox 31 esr

Thanks, I was expecting a problem with pre Fx34. Thanks for the info, I will see what feedback I receive from others using Fx34+ and other browsers and then work from there.
continuing on win7 64bit...
not working: firefox 33.1, IE10
working: firefox 34.0, chrome 39
(In reply to philipp from comment #26)
> continuing on win7 64bit...
> not working: firefox 33.1, IE10
> working: firefox 34.0, chrome 39

Ah awesome, glad to here Fx34 and Chrome is working as expected. That confirms what I have seen. I am moving on to test 33, 32, 31 now and will update the bug once anything has been pushed to the dev instance to test.
Assumption:
  you have read the Background to the 'Plugincheck Service',
  in bug 956905 comment # 148 onwards.

Delay in posting results because I do NOT have Flash "15.0.0.246" on this computer.
I do, however, have Reader "11.0.9.29" - so more results for Reader
will be available in the future.

OS Windows 7 64bit.

Tests done, a few hours ago today, with

Flash "15.0.0.246" which is NOT on the blocklist (see bug 1109795)
and
Reader "11.0.9.29".

Both *should* be reported as "vulnerable" because the 'Plugincheck Database'
has been updated:
  * Flash on 2014-12-10 at 01:13:58 PST (see bug 1109488)
  * Reader on 2014-12-12 at 00:39:33 PST (see bug 1109858) 

DEV Site:
  http://ossreleasefeed.github.io/Perfidies-of-the-Web/

LIVE Site (for information and comparison):
  https://www.mozilla.org/en-GB/plugincheck/


Results:
  I have listed Results (and for some Results I have given my understanding
  of what they mean / how they could come about).


***
A. 'normal plugincheck test': using Release and Aurora on LIVE.

Fx 34, 2014-12-16, on LIVE

Flash, ("Shockwave Flash") using, I presume 'dynamic URL which has OLD data', "Up to Date", WRONG.
Reader, ("Adobe Acrobat") using, I presume 'dynamic URL which has OLD data', "Up to Date", WRONG.
Same as comment # 19
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8535935
"Fx-34-Flash-15-0-0-246-WRONG-Reader-11-0-9-29-WRONG-2014-12-12.png"

36.0a2 (2014-12-16) on LIVE
Flash, ("Adobe Flash Player" i.e. using the 'JSON List'), "vulnerable", correct.
Reader ("Adobe Reader" i.e. using the 'JSON List'), "Up to Date", WRONG.
Same as comment # 20
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8535939
"Fx-36-using-JSON-List-Flash-15-0-0-246-correct-Reader-11-0-9-29-WRONG-2014-12-12.png"

So, 6 days after the Flash "16.0.0.235" was added to the 'Plugincheck Database'
we STILL have the 'wrong result for Release': a false sense of Security.
We did have on, 2012-12-12 the correct result "vulnerable" using the 'JSON List',
two days after the 'Plugincheck Database' was updated.

Reader is still WRONG.
  This has been ongoing since May 2014:
  see bug 1020133 "Improve Adobe Acrobat plugin reporting".
    Until bug 1020133 comment # 85, on 2014-11-24, Release (NOT using the 'JSON List')
    had accurate 'Reader Results'.
      Until bug 1020133 comment # 85
      and bug 1101613 comment # 2 "PluginCheck Database Clearance",
      both comments were made on on 2014-11-24,
      I could always test 'known plugins'
      (i.e. those that are in the JSON List).


***
B. 'test DEV' (with LIVE as a comparison):
      In comment # 22 and comment # 23, Schalk asked us to test DEV.

Method: use Fx 34 and spoof the UA to Fx 28, 29, 30 through to 37.
with ALL plugins enumerated - "plugins.enumerable_names" set to "*".
Use Ctrl+Shift+R to reload without cache.

Fx 34 with UA spoof to:

Fx 28,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE

Fx 29,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE

  I am surprised by Fx 28 and Fx 29 results.
  I speculate that these browsers are
  'rarely seen at the Plugincheck Website in December 2014' and so a 'fresh collection'
  of data was "fetched" for these tests, and we HAVE AN ACCURATE RESULT for Flash.


Fx 30,
Flash "Up to Date", WRONG.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE


Fx 31,
Flash "Up to Date", WRONG.
Reader "Up to Date", WRONG.
On LIVE

Fx 31,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
ONLY on DEV, DEV is using the 'JSON List' (e.g. Flash is "Adobe Flash Player")
  Expected if we assume that DEV did NOT have the changes for
  bug 1041509 "Bump Fx Version to 31 for plugincheck"
  and therefore DEV was using the 'JSON List' for Fx 31.


Fx 32,
Flash "Up to Date", WRONG.
Reader "Up to Date", WRONG.
On LIVE

Fx 32,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
ONLY on DEV, DEV is using the 'JSON List' (e.g. Flash is "Adobe Flash Player")
  Expected if we assume that DEV did NOT have the changes for
  bug 1060905 "Bump Firefox Version for plugincheck - Fx 32 will be released on 2014-09-02"


Fx 33,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE (LIVE is NOT using the 'JSON List' e.g. Flash is reported as "Shockwave Flash")
This result is 'strange' i.e. NOT what I predicted it would be before the Test.
  I had expected LIVE to be WRONG for Flash.
    I had assumed that DEV did NOT have the changes for
    bug 1078251 "Bump Firefox Version for plugincheck - Fx 33 will be released on 2014-10-14".
  Perhaps, because there were so many 'flavours of Fx 33' (Fx 33.0.1 etc) it is like
  Fx 28 and Fx 29 - a fresh 'fetch' of data, using the 'dynamic URL'
  https://plugins.mozilla.org/pfs/v2?appID= ... ... method
  on LIVE??


Fx 34,
Flash "Up to Date", WRONG.
Reader "Up to Date", WRONG.
On LIVE

Fx 34,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
ONLY on DEV, DEV is using the 'JSON List' (e.g. Flash is "Adobe Flash Player")
  Expected if we assume that DEV did NOT have the changes for
  bug 1102198 "Always show unknown plugins".
  In bug 1102198 comment # 2 has
> FYI, this will also bump the version of Fx to 34. 


Fx 35,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE (Both LIVE and DEV (as expected) are using the 'JSON List' 
e.g. Flash is "Adobe Flash Player")
  Expected because Fx 35+ is using the 'JSON List'.

Fx 36,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE (Both LIVE and DEV (as expected) are using the 'JSON List' 
e.g. Flash is "Adobe Flash Player")
  Expected because Fx 35+ is using the 'JSON List'.

Fx 37,
Flash "vulnerable", correct.
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE (Both LIVE and DEV (as expected) are using the 'JSON List' 
e.g. Flash is "Adobe Flash Player")
  Expected because Fx 35+ is using the 'JSON List'.

DJ-Leith
Main point:

I am very grateful for Daniel Veditz's reply in bug 1110578 comment # 18:

> (In reply to DJ-Leith from bug 1110578 comment #16)
> > I have deliberately kept a Flash "15.0.0.246" for testing.
> > 
> > Like others, I still see Flash "15.0.0.246" reported, at the 'Plugincheck
> > Website', as "Up to Date" in ERROR.
> 
> I don't see that. For me 15.0.0.246 has shown as Vulnerable for days now,
> both when accessed from Mozilla and from my home ISP (Comcast).
> 
> This is actually incorrect: as far as Adobe has said 15.0.0.246 is not,
> in fact, vulnerable. It contains the same fix as 16.0.0.235. In the database
> it's listed correctly as "Outdated" rather than "Vulnerable" but apparently
> the site no longer makes that distinction (a bug? intentionally?).
> 
> So the real problem you (DJ-Leith) are seeing is that some people get the
> right message on plugincheck, and some people (like yourself) don't. We
> should track that down, but that's not this bug. Please don't confuse the
> issue by talking about two different things in one bug.
> 
> 
> > I still think there is some 'infrastructure' cause to WHY we do NOT
> > get 'fresh data about recently added versions of vulnerable Plugins
> > in the Plugincheck Database', via the dynamic URLs, sent to the
> > 'Plugincheck Website'.
>  
> Yes, likely. Is there something caching old scripts or data requests on
> your (and other's, judging by SUMO threads) network paths? It does not
> appear to be a problem on the Mozilla server itself (unless maybe we're sending
> incorrect cache headers).
> 
> 
> > More information in
> > bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"
> 
> That looks like a more appropriate place to discuss the symptoms you're seeing

I posted in that bug to attract attention from people at Mozilla
who had been dealing with the Blocklist: Bug 1109795 "Blocklist Flash versions vulnerable
to CVE-2014-9163 (15.0.0.242 and below, 11.2.202.424 on linux)"

While the blocklist alerted many people, the fact that the 'Plugincheck Website'
was giving different information - for days, caused confusion.

The "different information", in the most recent case, being
Flash "15.0.0.246" reported, at the 'Plugincheck Website', as "Up to Date" in ERROR.

We would all have hoped and expected that the 'Plugincheck Website' would
have reported Flash "15.0.0.246" correctly in less than 6 days!
(see comment # 28 in this bug)

I think it would be reasonable to expect that the 'Plugincheck Website' would
use 'new data from the Plugincheck Database', either via the dynamic URLs
or by the 'JSON List', within an hour or two of the 'Plugincheck Database'
being updated.  Schalk Neethling had added Flash "16.0.0.235" to
the 'Plugincheck Database' on 2014-12-10 at 01:13:58 PST.

By 2014-12-12 16:55 PST (comment # 18) I had seen, using the 'JSON List', a correct result.
Remember, Mozilla Devs, who may well use Nightly, Aurora or Beta are using the 'JSON List'
while Fx Release is using the 'dynamic URLs' when they visit the 'Plugincheck Website'.

However, on 2014-12-16 (comment # 28) I was STILL seeing the WRONG result for Flash:
6 DAYS after the update of the 'Plugincheck Database'.

(In reply to Schalk Neethling [:espressive] from bug 1110578 comment # 11)
> (In reply to Daniel Veditz [:dveditz] from bug 1110578 comment # 3)
> > 
> > Schalk: is there a manual "push" step to get the database info live that
> > didn't happen? (but has obviously happened now.)
> 
> Updating the information for the plugincheck page involves updating the database
> at plugins.m.o [this is independent of any changes to plugin statuses anywhere
> else, such as blocklists etc.] but, after the update happened there, there is
> also a cache period that needs to expire on mozilla.org but, the length of time
> mentioned here is much longer than the cache TTL.

Although there does NOT seem to be
> a manual "push" step to get the database info live
I wonder why it can take DAYS for the changes to be seen by all users of the
'Plugincheck Service'?

I still think it would be worth someone who knows about the Mozilla Infrastructure
looking into why many people have NOT had an accurate 'Plugincheck'.

Can someone at Mozilla alert them to the evidence in this bug?


Minor point:

I deliberately kept Flash "15.0.0.246" because it was NOT on the blocklist
AND I wanted to have a plugin that would be reported as "vulnerable".

I agree with Daniel Veditz when he says:
> This is actually incorrect: as far as Adobe has said 15.0.0.246 is not,
> in fact, vulnerable. It contains the same fix as 16.0.0.235.

However, I surmised that Schalk had added Flash "16.0.0.235" to the 'Plugincheck Database'.
There is not much detail in bug 1109488.

From the point of view of the 'Plugincheck Website", Windows users who have
Flash 'lower version than "16.0.0.235" (e.g. "15.0.0.246")' will have their
Flash plugin reported as "vulnerable".

I saw this on 2014-12-12 (comment # 18).

The results, from comment # 28, illustrate this point:
e.g.
> Fx 34,
> Flash "Up to Date", WRONG.
> Reader "Up to Date", WRONG.
> On LIVE
> 
> Fx 34,
> Flash "vulnerable", correct.
> Reader "Up to Date", WRONG.
> ONLY on DEV, DEV is using the 'JSON List' (e.g. Flash is "Adobe Flash Player")
>   Expected if we assume that DEV did NOT have the changes for
>   bug 1102198 "Always show unknown plugins".
>   In bug 1102198 comment # 2 has
> > FYI, this will also bump the version of Fx to 34. 

The fact that on DEV Flash "15.0.0.246" is reported as "vulnerable":
> Fx 34,
> Flash "vulnerable", correct.
seems to indicate, to me, that Schalk had added Flash "16.0.0.235" to
the 'Plugincheck Database' on 2014-12-10 at 01:13:58 PST.

DJ-Leith
"Plugincheck-JSON-List-with-line-numbers-2014-12-18.txt"
I'll discuss this in comment # 32.

We do NOT know when the 'JSON List' was generated
(see bug 1105483 "Add a 'Generated' Date and Time stamp to 
the top of the 'Plugincheck JSON List' ")

DJ-Leith
"Plugincheck-UA-Fx-28-Adobe-Reader-fetched-with-line-numbers-2014-12-18.txt"

I'll discuss this in comment # 32.

build=10b90aa

https://plugins.mozilla.org/pfs/v2?appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appRelease=28&appVersion=20141218004002&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fpdf+application%2Fvnd.adobe.pdfxml+application%2Fvnd.adobe.x-mars+application%2Fvnd.fdf+application%2Fvnd.adobe.xfdf+application%2Fvnd.adobe.xdp%2Bxml+application%2Fvnd.adobe.xfd%2Bxml&callback=C


I found it difficult to actually see any ""v2?appID={... "
They seem to be 'transient'.
On several attempts I saw some for Flash.
Eventually, I found one for Reader (has "pdf" in the URL).

DJ-Leith
(In reply to DJ-Leith from comment # 28)
> Delay in posting results because I do NOT have Flash "15.0.0.246" on this computer.
> I do, however, have Reader "11.0.9.29" - so more results for Reader
> will be available in the future.

OS Windows 7 64bit.

Only testing, and reporting Reader "11.0.9.29"
  (Flash is already 16.0.0.235 on this computer).
Reader *should* be reported as "vulnerable"
because the 'Plugincheck Database' has been updated:
  * Reader on 2014-12-12 at 00:39:33 PST (see bug 1109858) 

DEV Site:
  http://ossreleasefeed.github.io/Perfidies-of-the-Web/

LIVE Site (for information and comparison):
  https://www.mozilla.org/en-GB/plugincheck/

Thu Dec 18 2014 06:27:19 PST

Fx 34
Reader "11.0.9.29" still "Up to Date", WRONG.

Tests like comment # 28
> B. 'test DEV' (with LIVE as a comparison):
>       In comment # 22 and comment # 23, Schalk asked us to test DEV.

Method: use Fx 34 and spoof the UA to Fx 28, 29, 30 through to 37.
with ALL plugins enumerated - "plugins.enumerable_names" set to "*".
Use Ctrl+Shift+R to reload without cache.

Fx 34 with UA spoof to:

Fx 28,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE

Fx 29,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE

Fx 30,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE

  On Fx 28, 29 and 30 BOTH DEV and LIVE are using the 'Dynamic URLs' "Adobe Acrobat".
  So, SIX days after the Reader data was put into the 'Plugincheck Database',
  on 2014-12-12 at 00:39:33 PST (see bug 1109858).
  Are we are STILL seeing 'old data' that was "fetched" BEFORE the 2014-12-12?


Fx 31,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE
  On Fx 31 LIVE is using the 'Dynamic URLs' "Adobe Acrobat" (expected)
  On Fx 31 DEV is using the 'JSON List' "Adobe Reader" (expected, same as comment # 28).

  We know, from comment # 28 (and comment # 18 and comment #20),
  that the 'JSON List' has the correct data for Flash since 2014-12-12.
    Two days after Flash "16.0.0.235" was added to the 'Plugincheck Database'
    on 2014-12-10 at 01:13:58 PST (see bug 1109488).

https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8535934
> 0008	 */
> 	       *** Twenty lines added here
> 	       ***  URL: https://plugins.mozilla.org/en-us/plugins_list.json  Date: 2014-12-12
> 	       ***  Browser: Fx Aurora (AKA Firefox Development Edition) 36.0a2 (2014-12-12)
<snip>
> 0675	        'win': {
> 0676	          'latest': [
> 0677	            {
> 0678	              'status': 'latest',
> 0679	              'version': '16.0.0.235',
> 0680	              'detected_version': '16.0.0.235',
> 0681	              'detection_type': '*',
> 0682	              'os_name': 'win',
> 0683	              'platform': {
> 0684	                'app_id': '*',
> 0685	                'app_release': '*',
> 0686	                'app_version': '*',
> 0687	                'locale': '*' 

  We also know from comment # 28 and
  bug 1020133 "Improve Adobe Acrobat plugin reporting"
  that there have been difficulties in getting accurate reports
  for Reader, since May 2014, when using the 'JSON List'.


Fx 32,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE
  On Fx 32 LIVE is using the 'Dynamic URLs' "Adobe Acrobat" (expected)
  On Fx 32 DEV is using the 'JSON List' "Adobe Reader" (expected, same as comment # 28).

Fx 33,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE
  On Fx 33 LIVE is using the 'Dynamic URLs' "Adobe Acrobat" (expected)
  On Fx 33 DEV is using the 'JSON List' "Adobe Reader" (expected, same as comment # 28).

Fx 34,
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE
  On Fx 34 LIVE is using the 'Dynamic URLs' "Adobe Acrobat" (expected)
  On Fx 34 DEV is using the 'JSON List' "Adobe Reader" (expected, same as comment # 28).

Fx 35 and
Fx 36 and
Fx 37
Reader "Up to Date", WRONG.
On BOTH DEV and LIVE
  BOTH DEV and LIVE are using the 'JSON List' "Adobe Reader".
  Expected because Fx 35+ is using the 'JSON List'
  (same as comment # 28).



Looking at the 'JSON List', from 2014-12-18, with respect to "Adobe Reader".

Attached to comment # 30.
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8538920


Observations:

A.
The Section seems to start at line 1696.
I would expect, below the "latest" in the "vulnerable" section to find examples
of "vulnerable" versions of READER.
> 1696      'adobe-reader': {
> 1697        'display_name': 'Adobe Reader',
> 1698        'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 1699        'versions': {
> 1700          'all': {
> 1701            'latest': [
> 1702              {
> 1703                'status': 'latest',
> 1704                'version': '10.1',
> 1705                'detected_version': '10.1',


> 1716            'vulnerable': [
> 1717              {
> 1718                'status': 'vulnerable',
> 1719                'vulnerability_description': 
'Security updates available for Adobe Reader and Acrobat',
> 1720                'vulnerability_url': 
'http://www.adobe.com/support/security/bulletins/apsb11-16.html',
> 1721                'version': '10.0.1',
> 1722                'detected_version': '10.0.1',


So far, all is OK.
BUT we then see 'data about FLASH' mingled with 'data about READER'?! 

> 1748                'status': 'vulnerable',
> 1749                'vulnerability_description': 
'APSB10-17 Security updates available for Adobe Flash Player',
> 1750                'vulnerability_url': 
'http://www.adobe.com/support/security/bulletins/apsb10-17.html',
> 1751                'version': '9.3.3',
> 1752                'detected_version': '9.3.3',
> 1753                'detection_type': '*',
> 1754                'os_name': '*',
> 1755                'platform': {
> 1756                  'app_id': '*',
> 1757                  'app_release': '*',
> 1758                  'app_version': '*',
> 1759                  'locale': '*'

This turns out to be 'not what I thought'.
I stumbled across a data entry error:
> 1750                'vulnerability_url': 
'http://www.adobe.com/support/security/bulletins/apsb10-17.html',
is correct for "APSB10-17" but it turns out that "APSB10-17" is about Reader (not Flash).

> Security updates available for Adobe Reader and Acrobat
> Release date: August 19, 2010
> Vulnerability identifier: APSB10-17
> CVE numbers: CVE-2010-2862, CVE-2010-1240

> 1749                'vulnerability_description': 
'APSB10-17 Security updates available for Adobe Flash Player'
The description, "vulnerability_description", is incorrect in the Database.


B.
Is there any "11.0.10" for the latest Adobe Reader?
NO there is still no "11.0.10".


C.
Is there any "11.0.9"? NO there is not.
There is "11.0.09".

> 1806            'vulnerable': [
> 1807              {
> 1808                'status': 'vulnerable',
> 1809                'vulnerability_description': 
'These updates address vulnerabilities that could potentially allow an attacker
to take over the affected system.',
> 1810                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 1811                'version': '11.0.09',
> 1812                'detected_version': '11.0.09',
> 1813                'detection_type': '*',
> 1814                'os_name': 'win',
> 1815                'platform': {
> 1816                  'app_id': '*',
> 1817                  'app_release': '*',
> 1818                  'app_version': '*',
> 1819                  'locale': '*'

Plugincheck will only detect the 'data in the metadata of the plugin file', "nppdf32.dll",
which is "11.0.9.29" (NOT "11.0.09.xx").

So the data in the 'JSON List' will NOT 'help to get an accurate report'.

There are the correct "11.0.8.0" and "11.0.7.0" entries.

> 1823                'status': 'vulnerable',
> 1824                'vulnerability_description':
'Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh.',
> 1825                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-20.html',
> 1826                'version': '11.0.8.0',
> 1827                'detected_version': '11.0.8.0',
> 1828                'detection_type': '*',
> 1829                'os_name': 'win',
> 1830                'platform': { 

> 1838                'status': 'vulnerable',
> 1839                'vulnerability_description': 
'These updates address a vulnerability that could allow an attacker to circumvent 
sandbox protection on the Windows platform.',
> 1840                'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-19.html',
> 1841                'version': '11.0.7.0',
> 1842                'detected_version': '11.0.7.0',
> 1843                'detection_type': '*',
> 1844                'os_name': 'win',




Now, looking at the 'dynamic URL' for Reader.

Attached to comment # 31.
https://bug1084537.bugzilla.mozilla.org/attachment.cgi?id=8538922

Observations:

First,
some good news.

The "feteched" is recent
> 0046         'fetched': '2014-12-18T08:26:22-08:00',

> 0070         'fetched': '2014-12-18T08:26:22-08:00',
all the way.

Second,
I can find the data for "11.0.10" which is the "latest"
and "created" on 2014-12-12.

> 0057         'created': '2014-12-12T16:35:56+00:00',

> 0061         'status': 'latest',
> 0062         'version': '11.0.10',


Here is more context:
> 0050         'id': '4',
> 0051         'pfs_id': 'adobe-reader',
> 0052         'name': 'Adobe Reader',
> 0053         'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 0054         'vendor': 'Adobe',
> 0055         'url': 'http://get.adobe.com/reader/',
> 0056         'modified': '2014-12-12T16:38:24+00:00',
> 0057         'created': '2014-12-12T16:35:56+00:00',
> 0058         'plugin_id': '2',
> 0059         'os_id': '3',
> 0060         'platform_id': '4',
> 0061         'status': 'latest',
> 0062         'version': '11.0.10',
> 0063         'detected_version': '11.0.10',
> 0064         'detection_type': '*',
> 0065         'os_name': 'win',
> 0066         'app_id': '*',
> 0067         'app_release': '*',
> 0068         'app_version': '*',
> 0069         'locale': '*',
> 0070         'fetched': '2014-12-18T08:26:22-08:00',
> 0071         'relevance': 3



Third,
I can find data about "11.0.09" sic (should be "11.0.9")

> 0430         'id': '4',
> 0431         'pfs_id': 'adobe-reader',
> 0432         'name': 'Adobe Reader',
> 0433         'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 0434         'vendor': 'Adobe',
> 0435         'url': 'http://get.adobe.com/reader/',
> 0436         'modified': '2014-12-12T16:38:24+00:00',
> 0437         'created': '2014-12-12T16:35:12+00:00',
> 0438         'plugin_id': '2',
> 0439         'os_id': '3',
> 0440         'platform_id': '4',
> 0441         'status': 'vulnerable',
> 0442         'vulnerability_description': 
'These updates address vulnerabilities that could potentially allow an attacker 
to take over the affected system.',
> 0443         'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-28.html',
> 0444         'version': '11.0.09',
> 0445         'detected_version': '11.0.09',
> 0446         'detection_type': '*',
> 0447         'os_name': 'win',
> 0448         'app_id': '*',
> 0449         'app_release': '*',
> 0450         'app_version': '*',
> 0451         'locale': '*',
> 0452         'fetched': '2014-12-18T08:26:22-08:00',
> 0453         'relevance': 3

Another 'odd thing' about this is entry is:
> 0436         'modified': '2014-12-12T16:38:24+00:00',
> 0437         'created': '2014-12-12T16:35:12+00:00',
I would have expected it to have been
"created" on 2014-09-17 (September not December) see:
bug 1068357 "Adobe Reader and Acrobat for Windows and Macintosh - plugins 
vulnerable 2014-09-16 - APSB14-20"

See also, bug 1068357 comment # 13 where "11.0.8.4" was STILL being
reported as "Up to Date" on 2014-09-20 (there is a screenshot).


Fourth,
the data for "11.0.8.0" is plausible and correct.
> 0248         'id': '4',
> 0249         'pfs_id': 'adobe-reader',
> 0250         'name': 'Adobe Reader',
> 0251         'description': 'Adobe PDF Plug-In For Firefox and Netscape',
> 0252         'vendor': 'Adobe',
> 0253         'url': 'http://get.adobe.com/reader/',
> 0254         'modified': '2014-12-12T16:38:24+00:00',
> 0255         'created': '2014-08-27T17:38:46+00:00',
> 0256         'plugin_id': '2',
> 0257         'os_id': '3',
> 0258         'platform_id': '4',
> 0259         'status': 'vulnerable',
> 0260         'vulnerability_description': 
'Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh.',
> 0261         'vulnerability_url': 
'http://helpx.adobe.com/security/products/reader/apsb14-20.html',
> 0262         'version': '11.0.8.0',
> 0263         'detected_version': '11.0.8.0',
> 0264         'detection_type': '*',
> 0265         'os_name': 'win',
> 0266         'app_id': '*',
> 0267         'app_release': '*',
> 0268         'app_version': '*',
> 0269         'locale': '*',
> 0270         'fetched': '2014-12-18T08:26:22-08:00',
> 0271         'relevance': 3
> 0272       },


> 0254         'modified': '2014-12-12T16:38:24+00:00',
> 0255         'created': '2014-08-27T17:38:46+00:00',

See bug 1053417 "Adobe Reader for Windows - plugins vulnerable 2014-08-12 - APSB14-19"
I reported this on 2014-08-13.
The Database was not updated until 2014-08-27 03:20:03 PDT (see bug 1053417 comment # 5).
The 'created': '2014-08-27T17:38:46+00:00', matches this change to the Database.



So we now know WHY Reader "11.0.9.29" is still being reported as "Up to Date" IN ERROR.
The data in the Plugincheck Database is WRONG.

Being anthropomorphic, the Plugincheck Website 'thinks' that ANY
'Reader Plugin' with a version more recent than "11.0.8" is "Up to Date"
(there is no data for 11.0.9, the data for 11.0.09 is not correct).

We also have circumstantial evidence that the "fetched" is many days AFTER the
Database was updated.


DJ-Leith
I have filed:

Bug 1117189 "Plugincheck Database - Review and correct Adobe Reader 11.0.9 vs 11.0.09
("nppdf32.dll" is "11.0.9.29")"
for the issue with Adobe Reader.

I will continue to test with Adobe Reader "11.0.9.29" until it is reported as "vulnerable".

Bug 1117195 "After updating the Plugincheck Database the Plugincheck Website
should use the new data within Minutes NOT Days"
for the issue with the delay in the Plugincheck Website using the data from the Plugincheck Database.

When I next have access to a PC with Flash "15.0.0.246", next week,
I will test again.  I have had verbal reports that Flash "15.0.0.246" is still being
reported as "Up to Date" - IN ERROR - using Firefox 34.

DJ-Leith
Blocks: 1121456
No longer blocks: 1121456
See also bug 1124654
"Blocklist request for flash 0days affecting version 16.0.0.287, 13.0.0.262, and 11.2.202.438".
That bug has most of the detail about timing.

Also 3 recent Adobe Security Bulletins:

  http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

  http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

  http://helpx.adobe.com/security/products/flash-player/apsb15-02.html


Recent tests:

***
2015-01-23
***
at 13:49:54 PST in bug 1124656 comment # 2

> Fx 31 is still reporting Flash 16.0.0.257 as "Up to Date".
At THAT time the most recent Flash version, in the Plugincheck Database,
was 16.0.0.287.

On 2015-01-23 Release and Aurora had the 'correct result':

>   Good news:
>   Fx 35 and Fx 37.0a2 (2015-01-23) give the correct result,
>   Flash 16.0.0.257 is correctly reported as "vulnerable".
>   I think both Fx 35 and Fx 37 use the 'JSON List' method to get the
>   data from the 'Plugincheck Database' when visiting the
>   'Plugincheck Website'.

There is more detail about the 'dynamic URL' that gave the
'wrong result', when the UA was Fx 31, in bug 1124656 comment # 2.


***
2015-01-26
***
In bug 1126003
"Check for update says Adobe Flash needs updating, but it's current"

Paul, who opened the bug on 2015-01-26 at 13:34:18 PST, had the correct result:

He was using Fx 35.0.1 with Flash 16.0.0.287.

Schalk Neethling [:espressive] on 2015-01-25 at 06:20:49 PST
in bug 1124654 comment # 14 had updated the Plugincheck Database:
> Ok, I have updated the plugins database as follows:
> 
> Latest Win and Mac: 16.0.0.296
> Latest Win and Mac ESR: 13.0.0.264

So, Scott had the correct result.


***
27-01-2015
***
At 07:55 PST
Using Fx 34 with Flash 16.0.0.287 I had a 'wrong result', Flash reported as "Up to Date".

When I updated Firefox to Fx 35.0.1 (the current release) I had the 'correct results':
Flash 16.0.0.287 reported as "vulnerable" (on Fx 35.0.1)
  and 5 min later (after I had updated Flash)
Flash 16.0.0.296 reported as "Up to Date" (on Fx 35.0.1).

I did not have time to 'capture the dynamic URL' when I had access to
that computer (earlier today).
Remember that they all start "https://plugins.mozilla.org/pfs/v2?appID={ec80 ...").


So, in this comment we see another two 'wrong results' - both were using the 'dynamic URLs'.
I think that the "appVersion=2015..." part of the 'dynamic URL' is a Date.

I am beginning to think that the "appVersion=2015..." part
MIGHT reflect 'when the Plugincheck Database was updated' or it
MIGHT reflect 'the Firefox Build ID'.

I don't know, but this observation might be a clue.

DJ-Leith
Can someone please confirm that this has now been resolved? Thanks!
Confirming and/or verifying fixes on intermittent bugs is not easy.

This bug was seen most obviously under the following circumstances:

A. Shortly after the Pluginchec Database had been updated (for Flash).

B. When there was a lot of traffic to Plugincheck (e.g. following
a 'Flash zero day' getting publicity and MANY people checking Plugincheck).

C. When the 'method used by the Plugincheck Service' used the
'dynamic URLs' (the "https://plugins.mozilla.org/pfs/v2?appID=%7Bec ...")
which I have often thought were the 'old Plugin Finder Service'.
This was 'due to be retired' (see bug 956905 comment # 149).

  Sometimes the 'JSON List' got the fresh data to the
  'Plugincheck Website' in TWO days.
  We have seen the 'dynamic URLs' taking SIX days to get the fresh data to
  the 'Plugincheck Website' (see comment # 28).

It is worth re-reading comment # 0 through to comment # 4.

I expect the 'real test' will be to observe what happens at the next
'Flash zero day' getting publicity ==> lots of traffic to Plugincheck.

In recent weeks several things have been done that might
mitigate a re-occurrence.

These include:

1. bug 1121456 "PluginCheck for Firefox"

2. bug 1121460 "Move All PluginCheck Client Side Code to Bedrock"

The idea, in those bugs, is to only 'do Plugincheck tests' on Firefox.
A simpler situation.

So, my response is to wait and see.
At the moment I can NOT confirm that this is resolved.


However, to attempt to answer comment # 35:
> Can someone please confirm that this has now been resolved? Thanks!

I attempted to 'see the wrong result' / break Plugincheck;
to reproduce this bug.

I used the en-US Plugincheck for all tests.
https://www.mozilla.org/en-US/plugincheck/

I have tried the following:

First,
use 'old Firefox versions'.

Recall that the 'dynamic URLs' (which tended to be 'much slower to provide
recent data from the Plugincheck Database', about the 'plugins to be tested')
were only used on 'old Firefox'.

Spoofing the UA was a way of doing a Plugincheck using the 'dynamic URLs' / PFS v2.

The good news is that when I spoof the UA, to make 'Firefox appear to be old',
I was still offered data from the JSON List.

Method:
In "about:config" add the string
"general.useragent.override"

Try Fx 28
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"

You are shown, as expected,
"Looks like you’re using an older version of Firefox." and the
"Update your Firefox" button.
These appear 'above the Plugincheck test result'.

The 'test used the JSON List': there is a 
"GET /en-us/plugins_list.json?callback=jQuery1110008503153487414084_1428697665901&_=1428697665902 HTTP/1.1"

I cleared all cookies and repeated (using <Crtl>+<Shift>+<R> to reload without cache).

I always got the 'JSON List'
and I was never offered
'data via a dynamic URL', in the form "https://plugins.mozilla.org/pfs/v2?appID=%7Bec ..."

I changed the UA to more recent versions.

It was only when I chose the current Release version:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0"
where I was NOT shown the "Update your Firefox" button.


Second,
'are the dynamic URLs' still reachable?

Yes,
if you browse direct to them e.g.

https://plugins.mozilla.org/pfs/v2?appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appRelease=33&appVersion=20141011015303&clientOS=Windows&chromeLocale=en-GB&detection=version_available&mimetype=application%2Fx-shockwave-flash+application%2Ffuturesplash&callback=C

Returns data.
>         'fetched': '2015-04-10T12:48:29-07:00'
However this is earlier today (about 9 hours old) - much more recent than
some of the examples above in this bug.

DJ-Leith
Ok, I am going to close this one out for now, let's keep an eye on this the next time a 0 day exploit hits Flash. Thanks DJ
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: