funsec mailing list archives
Re: XP SP3 Installs Older, Vulnerable Version of Flash Player
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 2 Jun 2008 18:57:35 -0400
Microsoft's writeup in their advisory is vague about what versions are involved. I installed the update on an SP3 system running Flash 8.0.24.0 and got an error back that the update was not a proper version for the Flash I was running, or something like that. I went to the Flash site and installed the current (9.0.124.0) version. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Dave Nelson Sent: Monday, June 02, 2008 6:26 PM To: Paul Ferguson Cc: funsec () linuxbox org Subject: Re: [funsec] XP SP3 Installs Older,Vulnerable Version of Flash Player IIRC Microsoft's reasoning for not shipping SP3 with a newer version was that their license for flash only covered the older version that they include in the update. Personally I'd have rather seen them not include the file at all if it wasn't the most recent release, which really wouldn't have helped in this case with the most recent at the time of the SP3 release being exploitable. Dave Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, you read that correctly: "It appears that XP service pack 3 installs an older vulnerable version of the flash player, causing those systems to be vulnerable to these vulnerabilities." More: http://isc.sans.org/diary.html?storyid=4513 Why is this important? Lots and lots of malicious Flash [.swf] exploits:
http://blog.trendmicro.com/flash-bugs-exploited-in-latest-mass-compromis e/
The latest news on this is that the latest version of Flash (9.0.124.0) is not vulnerable to these exploits... - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIRGjTq1pz9mNUZTMRAkNGAKDsiLkn1Gzto3Mq/Jful60/5mJCQwCdHadQ PokqwkDUrvn3tKSMpYRpYeA= =Uw89 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- XP SP3 Installs Older, Vulnerable Version of Flash Player Paul Ferguson (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Dave Nelson (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Jeff Kell (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Dave Nelson (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Larry Seltzer (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Larry Seltzer (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Jeff Kell (Jun 02)
- Re: XP SP3 Installs Older, Vulnerable Version of Flash Player Dave Nelson (Jun 02)