funsec mailing list archives

Re: XP SP3 Installs Older, Vulnerable Version of Flash Player

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 2 Jun 2008 18:57:35 -0400

Microsoft's writeup in their advisory is vague about what versions are
involved. I installed the update on an SP3 system running Flash 8.0.24.0
and got an error back that the update was not a proper version for the
Flash I was running, or something like that.

I went to the Flash site and installed the current (9.0.124.0) version.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.pcmag.com/securitywatch/
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Dave Nelson
Sent: Monday, June 02, 2008 6:26 PM
To: Paul Ferguson
Cc: funsec () linuxbox org
Subject: Re: [funsec] XP SP3 Installs Older,Vulnerable Version of Flash
Player

IIRC Microsoft's reasoning for not shipping SP3 with a newer version was

that their license for flash only covered the older version that they 
include in the update.
 Personally I'd have rather seen them not include the file at all if it 
wasn't the most recent release, which really wouldn't have helped in 
this case with the most recent at the time of the SP3 release being 
exploitable.

Dave

Paul Ferguson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, you read that correctly:

"It appears that XP service pack 3 installs an older vulnerable
version of the flash player, causing those systems to be vulnerable
to these vulnerabilities."

More:
http://isc.sans.org/diary.html?storyid=4513

Why is this important? Lots and lots of malicious Flash [.swf]
exploits:

http://blog.trendmicro.com/flash-bugs-exploited-in-latest-mass-compromis
e/


The latest news on this is that the latest version of Flash
(9.0.124.0) is not vulnerable to these exploits...

- - ferg


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFIRGjTq1pz9mNUZTMRAkNGAKDsiLkn1Gzto3Mq/Jful60/5mJCQwCdHadQ
PokqwkDUrvn3tKSMpYRpYeA=
=Uw89
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

XP SP3 Installs Older, Vulnerable Version of Flash Player Paul Ferguson (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Dave Nelson (Jun 02)
  - Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Jeff Kell (Jun 02)
    - Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Dave Nelson (Jun 02)
    - Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Larry Seltzer (Jun 02)
  - Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Larry Seltzer (Jun 02)