Re: Windows Update (re-)installs outdated Flash ActiveX on Windows XP
Dear Stefan Kanthak,
As far as I can see, Internet Explorer actually uses flash10b.ocx.
Adobe
Flash Player 10.0 r22
--Monday, April 20, 2009, 8:17:24 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:
SK> Windows Update (as well as Microsoft Update and the Automatic Update)
SK> installs an outdated (and from its manufacturer unsupported) Flash
SK> Player ActiveX control on Windows XP.
SK> Although this fact is nothing really new it but shows the lack of taking
SK> care for security problems and in general the chuzpe of many software
SK> "producers" to ship their "products" with outdated and often vulnerable
SK> components.
SK> The ouverture:
SK> * Windows XP RTM (i.e. the original release version without any service
SK> packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42
SK> * Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44
SK> * Windows XP Service Pack 2 (released in August 2004) replaces the
SK> SWFLASH.OCX with FLASH.OCX v6.0r79
SK> * security update KB913433 (see
SK> <http://support.microsoft.com/kb/913433>
SK> and
SK> <http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx>)
SK> updates FLASH.OCX to 6.0r84
SK> * security update KB923789 (see
SK> <http://support.microsoft.com/kb/923789>
SK> and
SK> <http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx>)
SK> updates FLASH.OCX to 6.0r88
SK> * Windows XP Service Pack 3 (released in April 2008) contains the same
SK> FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updates
SK> published after Service Pack 2 were incorporated!
SK> The MSKB article KB948460 but STILL states wrong that KB913433 (sic!)
SK> is included in Service Pack 3
SK> To my knowledge Adobe stopped direct support for Flash Player 6 in late
SK> 2005, the newest version of Flash Player ActiveX 6.0 available on their
SK> web site <http://www.adobe.com/go/tn_14266> is 6.0r79 from 2005-11-11.
SK> Later versions of Flash Player ActiveX 6.0 were available from Microsoft
SK> only:
SK> <http://www.adobe.com/devnet/security/security_zone/apsb06-03.html>
SK> and <http://www.adobe.com/support/security/bulletins/apsb06-11.html>
SK> I doubt that these outdated Flash Player ActiveX controls are safe and
SK> not vulnerable to current exploits, so Microsoft puts it's customers
SK> clearly at risk.
SK> The unhappy end:
SK> * Start with a fully patched Windows XP with Service Pack 3 AND the
SK> current Adobe Flash Player ActiveX v10.0r22.87 installed.
SK> Since recent Flash Player installers remove any older versions of the
SK> ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX are
SK> present in %SystemRoot%\System32\Macromed\ or
SK> %SystemRoot%\System32\Macromed\Flash\
SK> * Install an arbitrary software product that installs a Flash Player
SK> ActiveX prior to 6.0r88 (there are MANY software products that do so).
SK> For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no.
SK> X14-85160-02 DE from Microsoft; this CD-ROM contains the product
SK> "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, which
SK> installs an outdated and VULNERABLE FLASH.OCX v6.0r29 to
SK> %SystemRoot%\System32\Macromed\!
SK> Note that the installer was created AFTER KB923789, which but was not
SK> incorporated. Does Microsoft really care about security?
SK> If you dont want to order the MSN CD-ROM a trial version of "Digital
SK> Image Starter Edition 2006" is available from
SK>
SK>
<http://www.microsoft.com/downloads/details.aspx?FamilyID=7c3b3ded-a15f-48c5-b724-7796fe8c151e>
SK> If you dont want to install such a big product either, get the
SK> Windows Update KB913433 from
SK>
SK>
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B2B8F9A8-4874-405A-9F0C-768B2631673A>
SK> extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE from
SK> the package and run the installer.
SK> The attempt to install a Flash Player ActiveX prior to 6.0r88 over a
SK> later version does not YET any harm, since starting with 6.0r88 Adobe
SK> sets deny ACLs on the
SK> %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX
SK> as well as all the registry entries which prevent earlier Flash Player
SK> ActiveX installers to overwrite them, so any Flash Player ActiveX
SK> 6.0r88 and later is preserved.
SK> Any of the above mentioned products but installs the previously not
SK> existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX
SK> * Visit <http://windowsupdate.microsoft.com/> (or wait till the daily
SK> run of the Automatic Update) and install the Windows Update KB923789.
SK> This but DOES harm: since the Flash Player ActiveX installer that has
SK> been wrapped in KB923789 (re-)sets the ACLs it overwrites the registry
SK> entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!
SK> I informed Microsoft in the last two years several times about this
SK> problem and discussed it with various members of their Microsoft Security
SK> Response Center, but the problem persists.
SK> Stefan Kanthak
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Âïðî÷åì, âàæíåå âñåãî - àëãîðèòì! (Ëåì)