Movatterモバイル変換

[0]ホーム
URL:

Home page logo
bugtraq logo

Bugtraqmailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

Re: Windows Update (re-)installs outdated Flash ActiveX on Windows XP

From: "Andrew Kuriger" <a.kuriger () liquidphlux com>
Date: Wed, 22 Apr 2009 17:59:06 -0500 (CDT)
Hello All,I have seen and reproduced the behavior that was originally posted byStefan. I believe the only reason that your browser is usingflash10b.ocx is because you installed flash player 10. The KB updatethat gets pushed down via updates is an older version that does notoverwrite the current install if the current install is newer. I noticedthis as recently as 4 days ago but really didn't think anything of itsince I knew I would install the latest version anyway.I am kind of surprised that so close after I updated (when I noticedthis) that there was a post on Bugtrac so close after, although until itstarts overwriting the "new" with the old I really don't see a majorproblem. More of "huh weird" issue that MS would still be deployingsuch an old (and even older regarding SP3) version.AndrewOn 4/22/2009, "Vladimir '3APA3A' Dubrovin" <3APA3A () SECURITY NNOV RU>wrote:
Dear Stefan Kanthak,As far as I can see, Internet Explorer actually uses flash10b.ocx.AdobeFlash Player 10.0 r22--Monday, April 20, 2009, 8:17:24 PM, you wrote to bugtraq () securityfocus com:SK> Windows Update (as well as Microsoft Update and the Automatic Update)SK> installs an outdated (and from its manufacturer unsupported) FlashSK> Player ActiveX control on Windows XP.SK> Although this fact is nothing really new it but shows the lack of takingSK> care for security problems and in general the chuzpe of many softwareSK> "producers" to ship their "products" with outdated and often vulnerableSK> components.SK> The ouverture:SK> * Windows XP RTM (i.e. the original release version without any serviceSK>   packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42SK> * Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44SK> * Windows XP Service Pack 2 (released in August 2004) replaces theSK>   SWFLASH.OCX with FLASH.OCX v6.0r79SK> * security update KB913433 (seeSK> <http://support.microsoft.com/kb/913433>SK>   andSK> <http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx>)SK>   updates FLASH.OCX to 6.0r84SK> * security update KB923789 (seeSK> <http://support.microsoft.com/kb/923789>SK>   andSK> <http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx>)SK>   updates FLASH.OCX to 6.0r88SK> * Windows XP Service Pack 3 (released in April 2008) contains the sameSK>   FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updatesSK>   published after Service Pack 2 were incorporated!SK>   The MSKB article KB948460 but STILL states wrong that KB913433 (sic!)SK>   is included in Service Pack 3SK> To my knowledge Adobe stopped direct support for Flash Player 6 in lateSK> 2005, the newest version of Flash Player ActiveX 6.0 available on theirSK> web site <http://www.adobe.com/go/tn_14266> is 6.0r79 from 2005-11-11.SK> Later versions of Flash Player ActiveX 6.0 were available from MicrosoftSK> only:SK> <http://www.adobe.com/devnet/security/security_zone/apsb06-03.html>SK> and <http://www.adobe.com/support/security/bulletins/apsb06-11.html>SK> I doubt that these outdated Flash Player ActiveX controls are safe andSK> not vulnerable to current exploits, so Microsoft puts it's customersSK> clearly at risk.SK> The unhappy end:SK> * Start with a fully patched Windows XP with Service Pack 3 AND theSK>   current Adobe Flash Player ActiveX v10.0r22.87 installed.SK>   Since recent Flash Player installers remove any older versions of theSK>   ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX areSK>   present in %SystemRoot%\System32\Macromed\ orSK>   %SystemRoot%\System32\Macromed\Flash\SK> * Install an arbitrary software product that installs a Flash PlayerSK>   ActiveX prior to 6.0r88 (there are MANY software products that do so).SK>   For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no.SK>   X14-85160-02 DE from Microsoft; this CD-ROM contains the productSK>   "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, whichSK>   installs an outdated and VULNERABLE FLASH.OCX v6.0r29 toSK>   %SystemRoot%\System32\Macromed\!SK>   Note that the installer was created AFTER KB923789, which but was notSK>   incorporated. Does Microsoft really care about security?SK>   If you dont want to order the MSN CD-ROM a trial version of "DigitalSK>   Image Starter Edition 2006" is available fromSK>SK> <http://www.microsoft.com/downloads/details.aspx?FamilyID=7c3b3ded-a15f-48c5-b724-7796fe8c151e>SK>   If you dont want to install such a big product either, get theSK>   Windows Update KB913433 fromSK>SK> <http://www.microsoft.com/downloads/details.aspx?FamilyId=B2B8F9A8-4874-405A-9F0C-768B2631673A>SK>   extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE fromSK>   the package and run the installer.SK>   The attempt to install a Flash Player ActiveX prior to 6.0r88 over aSK>   later version does not YET any harm, since starting with 6.0r88 AdobeSK>   sets deny ACLs on theSK> %SystemRoot%\System32\Macromed\Flash\FLASH*.OCXSK>   as well as all the registry entries which prevent earlier Flash PlayerSK>   ActiveX installers to overwrite them, so any Flash Player ActiveXSK>   6.0r88 and later is preserved.SK>   Any of the above mentioned products but installs the previously notSK>   existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCXSK> * Visit <http://windowsupdate.microsoft.com/> (or wait till the dailySK>   run of the Automatic Update) and install the Windows Update KB923789.SK>   This but DOES harm: since the Flash Player ActiveX installer that hasSK>   been wrapped in KB923789 (re-)sets the ACLs it overwrites the registrySK>   entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!SK> I informed Microsoft in the last two years several times about thisSK> problem and discussed it with various members of their Microsoft SecuritySK> Response Center, but the problem persists.SK> Stefan Kanthak--Skype: Vladimir.Dubrovin~/ZARAZAhttp://securityvulns.com/&#194;&#239;&#240;&#238;&#247;&#229;&#236;, &#226;&#224;&#230;&#237;&#229;&#229; &#226;&#241;&#229;&#227;&#238; - &#224;&#235;&#227;&#238;&#240;&#232;&#242;&#236;!  (&#203;&#229;&#236;)
PreviousBy DateNext
PreviousBy ThreadNext
Current thread:




[8]ページ先頭


©2009-2026 Movatter.jp