On Friday, July 18, 2014 at 3:31:53 PM UTC-5, Gavin Sharp wrote: > > ... > > With click to play on by default we could probably remove the broad > block, but we'd want to still block the known-vulnerable versions, > which would require coming up with a regexp that matches only the > right versions.
Yes, I also don't understand why there is so much resistance to fixing this, especially since the related vulnerability in the Java Deployment Toolkit was fixed by Oracle over 4 years ago (since at least October 2011). I think it all started with this comment: ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c6 Jorge Villalobos [:jorgev] 2012-03-08 11:59:38 PST (Comment #6) "Blocking this is tricky since we need to use regular expressions, per bug 558584 comment 16 https://bugzilla.mozilla.org/show_bug.cgi?id=558584#c16 ..." ---------------- and then this one: ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c9 Jorge Villalobos [:jorgev] 2013-06-25 07:32:22 PDT (Comment #9) Are we okay with blocking all versions of the Java Deployment Toolkit? It seems harmless enough to do this. Flags: needinfo? (release-m...(at)mozilla.com) ---------------- "It seems harmless enough to do this." and: ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c13 Alex Keybl [:akeybl] 2013-06-27 14:12:04 PDT (Comment #13) (In reply to Jorge Villalobos [:jorgev] from comment #9) > Are we okay with blocking all versions of the Java Deployment Toolkit? It > seems harmless enough to do this. Sounds good to us, with QA verification. ---------------- "Sounds good to us" So it seems that there was some reluctance (inability, unwillingness) to come up with a regular expression that would be inclusive of all of the versions to block, so the decision was made to just completely, unilaterally, and permanantly block all versions of the Java DT plugin. This is just very odd, because it seems to be standard operating proceedure to block plugins based on the version number of the plugin. For example, a vulnerability was recently discovered (by Adobe) in the Flash plugin. The vulnerable version of the Flash plugin was (understandably) blocked in Firefox. Adobe released a new version of the plugin, and the new version of the Flash plugin was immediately available (unblocked) in Firefox, while the vulnerable version (versions) of the Flash plugin remains blocked. Another odd thing about it is that the defenders of the block are basically saying that there are only 2 options: 1) leave the full block on the Java DT plugin in place as it currently is, or 2) completely remove the block for all versions of the Java DT plugin which would allow the vulnerable versions of the Java DT plugin to run unblocked which is therefore unacceptable. When someone asks about "fixing" the block, their response is we're not going to "remove" the block. Perhaps the most concerning thing about all this is that it has been suggested in one or more places, that the "fix" for this is not to limit the blocking to the vulnerable versions of the Java DT plugin (as should have been done over 4 years ago), but rather to go into about:config and completely disable blocking. To me this is such an irresponsible thing to recommend because while it will allow the fixed versions of the Java DT plugin to run unblocked, it will obviously allow dozens (hundreds) of versions of all kinds of vulnerable plugins to run unblocked. And there are many users that simply don't understand the ramifications of doing that. To get to the heart of the matter, there are these 2 posts in the bug report: ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c2 Neal Poole 2011-10-18 13:26:08 PDT (Comment #2) The October 2011 Critical Patch Update was released. That means the latest versions of Java 6 and Java 7 are no longer vulnerable (Java 7 was patched silently earlier in the year). ---------------- "the latest versions of Java 6 and Java 7 are no longer vulnerable" and... ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c5 Neal Poole 2012-03-07 13:23:26 PST (Comment #5) "The Java Deployment Toolkit Plugin v6.0.240.7 and below for Firefox and Google Chrome can be used to download and run an improperly signed executable on a target's system. UAC, if enabled, will prompt the user before running the executable. This vulnerability has been tested and confirmed to exist on Windows 7, both 32-bit and 64-bit. It was fixed in Java 7 and Java 6 Update 29. This issue has been assigned CVE-2011-3516." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3516 ---------------- "It was fixed in Java 7 and Java 6 Update 29." I don't know if there are any peculiarities with the version designations for the Java DT plugin (it doesn't seem so), but there are many smart people at Mozilla and I'm sure someone there can come up with an appropriate regular expression. In fact at this point, the block could be implemented on all versions of the plugin prior to version 7. This would make the regular expression much simpler because it would eliminate the need for the regular expression to determine which of the updates of version 6 need to be blocked... just block all of version 6 an before. The only downside to this approach is that there are 1 or 2 (or perhaps a few) updates of the version 6 Java DT plugin that do not have the vulnerability, and these updates would be blocked. But, these updates are all well over 4 years old. So, I'll propose a regular expression for this (that I'm sure some will pick apart): Use this to determine if the version of the plugin should be "blocked" <code>^[ ]*[0]*[0-6][.].+</code> This will match even if there are leading spaces, or leading zeros, and will match all updates of all versions from "0.xx" to "6.xx", and if there were any versions like "01.xx". If the regular expression has to test the oposite case, use this to determine if the version of the plugin should be "allowed" <code>^[ ]*([7-9]|[1-9][0-9]+)[.].+</code> This will match all updates of all versions from "7.xx" and greater. After reviewing the related bug: https://bugzilla.mozilla.org/show_bug.cgi?id=636633 I notice 2 things... First, this post (ironically posted the same day that "this" thread was started): ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c81 Sylvestre Ledru [:sylvestre] 2014-07-18 00:32:45 PDT (Comment #81) I'm restricting further comments on this bug. Bugzilla isn't intended as a debate forum. As Anthony and Lukas suggested, the place to have this discussion is dev-platform: https://lists.mozilla.org/listinfo/dev-platform [Comments are restricted to users with the editbugs privilege -- with privilege comes responsibility, so please consider carefully before commenting if you are able.] Restrict Comments: true ---------------- which means us mere mortal users can no longer discuss this matter there (in that bug). and then there's this post: ---------------- https://bugzilla.mozilla.org/show_bug.cgi?id=636633#c62 Anthony Hughes, QA Mentor (:ashughes) 2014-05-05 11:14:57 PDT (Comment #62) Stephen, Bugzilla is not the right place to have this discussion. Your concerns are quite valid but should be posted to the dev-platform mailing list. If we ever entertain the proposal to remove this block it will not happen in this bug. The discussion will happen on dev-platform and the implementation of the removal will happen in a new bug on Bugzilla. Respectfully, please take your concerns to dev-platform. ---------------- particularly the part: "If we ever entertain the proposal to remove this block it will not happen in this bug. The discussion will happen on dev-platform and the implementation of the removal will happen in a new bug on Bugzilla." So, since we are here on "dev-platform", and we are discussing this, and at this point it seems the concensus is that it should be fixed; would it be approptiate to open a new bug report (on bugzilla.mozilla.org) on the issue of fixing the block of the Java DT plugin (tying the block to the version number of the plugin)? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
