[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1207171372.26948.1245737023@webmail.messagingengine.com>
Date: Wed, 02 Apr 2008 17:22:52 -0400
From: "CaseArmour.net Security Administrator" <security@...earmour.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Adobe Flash bundling vulnerabilities
I'm noticing a disturbing trend of vulnerable versions of Flash (among
other runtimes) being distributed with lots of different software, and
the list now includes vendors such as Microsoft and -- Adobe.
Adobe AIR up through the last Windows beta bundled a known-vulnerable
version of Flash. I seem to have deleted my copy of the Beta 2
installer, so I can't confirm what version, but I believe it was a
9.x-series. The Windows AIR installer, AdobeAIRInstaller.exe
(1.0.7.4880, md5sum 7F5646586EB25CEB2F5457B0BD144F59), presently
available from the Adobe site, has been updated to include Flash 9.0
r115, or at least that's the version reported by the included Netscape
plugin.
In the future, I'm going to be very careful about installing Adobe
products, on the occasions that I'm forced to.
Microsoft, unfortunately, still bundles Flash 6.0.79.0 with, as far as I
can tell, Windows XP, and every Windows XP service pack ever produced,
up through the SP3 RC2 builds. Installing or slipstreaming a service
pack on Windows XP installs the vulnerable Flash version, and installing
a new Flash build from Adobe *does not* uninstall the vulnerable
version. I didn't realize this until I was testing Secunia PSI on a
newly-installed system.
I'm not experienced enough with IE or Explorer internals to tell whether
it's possible to convince a browser (or OutLook? or something else?)
instance to render a malicious applet with the older version, but I
wouldn't be surprised if it's possible. Even if it's not, I'm paranoid
about the possibility of a remote, non-privileged login or other access
being able to leverage the vulnerable Flash OCX. The install happens
whether or not the XP system in question already includes a newer Flash
build.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists