| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Apr 2009 23:00:00 +0400 From: Vladimir '3APA3A' Dubrovin <3APA3A@...URITY.NNOV.RU> To: "Stefan Kanthak" <stefan.kanthak@...go.de> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Windows Update (re-)installs outdated Flash ActiveX on Windows XP Dear Stefan Kanthak, As far as I can see, Internet Explorer actually uses flash10b.ocx. Adobe Flash Player 10.0 r22 --Monday, April 20, 2009, 8:17:24 PM, you wrote to bugtraq@...urityfocus.com: SK> Windows Update (as well as Microsoft Update and the Automatic Update) SK> installs an outdated (and from its manufacturer unsupported) Flash SK> Player ActiveX control on Windows XP. SK> Although this fact is nothing really new it but shows the lack of taking SK> care for security problems and in general the chuzpe of many software SK> "producers" to ship their "products" with outdated and often vulnerable SK> components. SK> The ouverture: SK> * Windows XP RTM (i.e. the original release version without any service SK> packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42 SK> * Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44 SK> * Windows XP Service Pack 2 (released in August 2004) replaces the SK> SWFLASH.OCX with FLASH.OCX v6.0r79 SK> * security update KB913433 (see SK> <http://support.microsoft.com/kb/913433> SK> and SK> <http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx>) SK> updates FLASH.OCX to 6.0r84 SK> * security update KB923789 (see SK> <http://support.microsoft.com/kb/923789> SK> and SK> <http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx>) SK> updates FLASH.OCX to 6.0r88 SK> * Windows XP Service Pack 3 (released in April 2008) contains the same SK> FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updates SK> published after Service Pack 2 were incorporated! SK> The MSKB article KB948460 but STILL states wrong that KB913433 (sic!) SK> is included in Service Pack 3 SK> To my knowledge Adobe stopped direct support for Flash Player 6 in late SK> 2005, the newest version of Flash Player ActiveX 6.0 available on their SK> web site <http://www.adobe.com/go/tn_14266> is 6.0r79 from 2005-11-11. SK> Later versions of Flash Player ActiveX 6.0 were available from Microsoft SK> only: SK> <http://www.adobe.com/devnet/security/security_zone/apsb06-03.html> SK> and <http://www.adobe.com/support/security/bulletins/apsb06-11.html> SK> I doubt that these outdated Flash Player ActiveX controls are safe and SK> not vulnerable to current exploits, so Microsoft puts it's customers SK> clearly at risk. SK> The unhappy end: SK> * Start with a fully patched Windows XP with Service Pack 3 AND the SK> current Adobe Flash Player ActiveX v10.0r22.87 installed. SK> Since recent Flash Player installers remove any older versions of the SK> ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX are SK> present in %SystemRoot%\System32\Macromed\ or SK> %SystemRoot%\System32\Macromed\Flash\ SK> * Install an arbitrary software product that installs a Flash Player SK> ActiveX prior to 6.0r88 (there are MANY software products that do so). SK> For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no. SK> X14-85160-02 DE from Microsoft; this CD-ROM contains the product SK> "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, which SK> installs an outdated and VULNERABLE FLASH.OCX v6.0r29 to SK> %SystemRoot%\System32\Macromed\! SK> Note that the installer was created AFTER KB923789, which but was not SK> incorporated. Does Microsoft really care about security? SK> If you dont want to order the MSN CD-ROM a trial version of "Digital SK> Image Starter Edition 2006" is available from SK> SK> <http://www.microsoft.com/downloads/details.aspx?FamilyID=7c3b3ded-a15f-48c5-b724-7796fe8c151e> SK> If you dont want to install such a big product either, get the SK> Windows Update KB913433 from SK> SK> <http://www.microsoft.com/downloads/details.aspx?FamilyId=B2B8F9A8-4874-405A-9F0C-768B2631673A> SK> extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE from SK> the package and run the installer. SK> The attempt to install a Flash Player ActiveX prior to 6.0r88 over a SK> later version does not YET any harm, since starting with 6.0r88 Adobe SK> sets deny ACLs on the SK> %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX SK> as well as all the registry entries which prevent earlier Flash Player SK> ActiveX installers to overwrite them, so any Flash Player ActiveX SK> 6.0r88 and later is preserved. SK> Any of the above mentioned products but installs the previously not SK> existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX SK> * Visit <http://windowsupdate.microsoft.com/> (or wait till the daily SK> run of the Automatic Update) and install the Windows Update KB923789. SK> This but DOES harm: since the Flash Player ActiveX installer that has SK> been wrapped in KB923789 (re-)sets the ACLs it overwrites the registry SK> entries of the newer/recent Flash Player ActiveX. DAMAGE DONE! SK> I informed Microsoft in the last two years several times about this SK> problem and discussed it with various members of their Microsoft Security SK> Response Center, but the problem persists. SK> Stefan Kanthak -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Âïðî÷åì, âàæíåå âñåãî - àëãîðèòì! (Ëåì) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists