lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 20 Apr 2009 18:17:24 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Windows Update (re-)installs outdated Flash ActiveX on Windows XP

Windows Update (as well as Microsoft Update and the Automatic Update)
installs an outdated (and from its manufacturer unsupported) Flash
Player ActiveX control on Windows XP.


Although this fact is nothing really new it but shows the lack of taking
care for security problems and in general the chuzpe of many software
"producers" to ship their "products" with outdated and often vulnerable
components.


The ouverture:

* Windows XP RTM (i.e. the original release version without any service
  packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42

* Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44

* Windows XP Service Pack 2 (released in August 2004) replaces the
  SWFLASH.OCX with FLASH.OCX v6.0r79

* security update KB913433 (see <http://support.microsoft.com/kb/913433>
  and <http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx>)
  updates FLASH.OCX to 6.0r84

* security update KB923789 (see <http://support.microsoft.com/kb/923789>
  and <http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx>)
  updates FLASH.OCX to 6.0r88

* Windows XP Service Pack 3 (released in April 2008) contains the same
  FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updates
  published after Service Pack 2 were incorporated!
  The MSKB article KB948460 but STILL states wrong that KB913433 (sic!)
  is included in Service Pack 3

To my knowledge Adobe stopped direct support for Flash Player 6 in late
2005, the newest version of Flash Player ActiveX 6.0 available on their
web site <http://www.adobe.com/go/tn_14266> is 6.0r79 from 2005-11-11.
Later versions of Flash Player ActiveX 6.0 were available from Microsoft
only: <http://www.adobe.com/devnet/security/security_zone/apsb06-03.html>
and <http://www.adobe.com/support/security/bulletins/apsb06-11.html>

I doubt that these outdated Flash Player ActiveX controls are safe and
not vulnerable to current exploits, so Microsoft puts it's customers
clearly at risk.


The unhappy end:

* Start with a fully patched Windows XP with Service Pack 3 AND the
  current Adobe Flash Player ActiveX v10.0r22.87 installed.

  Since recent Flash Player installers remove any older versions of the
  ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX are
  present in %SystemRoot%\System32\Macromed\ or
  %SystemRoot%\System32\Macromed\Flash\

* Install an arbitrary software product that installs a Flash Player
  ActiveX prior to 6.0r88 (there are MANY software products that do so).

  For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no.
  X14-85160-02 DE from Microsoft; this CD-ROM contains the product
  "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, which
  installs an outdated and VULNERABLE FLASH.OCX v6.0r29 to
  %SystemRoot%\System32\Macromed\!

  Note that the installer was created AFTER KB923789, which but was not
  incorporated. Does Microsoft really care about security?

  If you dont want to order the MSN CD-ROM a trial version of "Digital
  Image Starter Edition 2006" is available from
  <http://www.microsoft.com/downloads/details.aspx?FamilyID=7c3b3ded-a15f-48c5-b724-7796fe8c151e>

  If you dont want to install such a big product either, get the
  Windows Update KB913433 from
  <http://www.microsoft.com/downloads/details.aspx?FamilyId=B2B8F9A8-4874-405A-9F0C-768B2631673A>
  extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE from
  the package and run the installer.

  The attempt to install a Flash Player ActiveX prior to 6.0r88 over a
  later version does not YET any harm, since starting with 6.0r88 Adobe
  sets deny ACLs on the %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX
  as well as all the registry entries which prevent earlier Flash Player
  ActiveX installers to overwrite them, so any Flash Player ActiveX
  6.0r88 and later is preserved.

  Any of the above mentioned products but installs the previously not
  existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX

* Visit <http://windowsupdate.microsoft.com/> (or wait till the daily
  run of the Automatic Update) and install the Windows Update KB923789.

  This but DOES harm: since the Flash Player ActiveX installer that has
  been wrapped in KB923789 (re-)sets the ACLs it overwrites the registry
  entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!


I informed Microsoft in the last two years several times about this
problem and discussed it with various members of their Microsoft Security
Response Center, but the problem persists.


Stefan Kanthak

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ