Re: Windows Update (re-)installs outdated Flash ActiveX on Windows XP

["Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>]

Dear Stefan Kanthak,

As far as I can see, Internet Explorer actually uses flash10b.ocx.
Adobe
Flash Player 10.0 r22

--Monday, April 20, 2009, 8:17:24 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

SK> Windows Update (as well as Microsoft Update and the Automatic Update)
SK> installs an outdated (and from its manufacturer unsupported) Flash
SK> Player ActiveX control on Windows XP.


SK> Although this fact is nothing really new it but shows the lack of taking
SK> care for security problems and in general the chuzpe of many software
SK> "producers" to ship their "products" with outdated and often vulnerable
SK> components.


SK> The ouverture:

SK> * Windows XP RTM (i.e. the original release version without any service
SK>   packs) installs a Flash Player ActiveX control SWFLASH.OCX v5.0r42

SK> * Windows XP Service Pack 1 updates the SWFLASH.OCX to v5.0r44

SK> * Windows XP Service Pack 2 (released in August 2004) replaces the
SK>   SWFLASH.OCX with FLASH.OCX v6.0r79

SK> * security update KB913433 (see
SK> <http://support.microsoft.com/kb/913433>
SK>   and
SK> <http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx>)
SK>   updates FLASH.OCX to 6.0r84

SK> * security update KB923789 (see
SK> <http://support.microsoft.com/kb/923789>
SK>   and
SK> <http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx>)
SK>   updates FLASH.OCX to 6.0r88

SK> * Windows XP Service Pack 3 (released in April 2008) contains the same
SK>   FLASH.OCX v6.0r79 as Service Pack 2, i.e. none of the security updates
SK>   published after Service Pack 2 were incorporated!
SK>   The MSKB article KB948460 but STILL states wrong that KB913433 (sic!)
SK>   is included in Service Pack 3

SK> To my knowledge Adobe stopped direct support for Flash Player 6 in late
SK> 2005, the newest version of Flash Player ActiveX 6.0 available on their
SK> web site <http://www.adobe.com/go/tn_14266> is 6.0r79 from 2005-11-11.
SK> Later versions of Flash Player ActiveX 6.0 were available from Microsoft
SK> only:
SK> <http://www.adobe.com/devnet/security/security_zone/apsb06-03.html>
SK> and <http://www.adobe.com/support/security/bulletins/apsb06-11.html>

SK> I doubt that these outdated Flash Player ActiveX controls are safe and
SK> not vulnerable to current exploits, so Microsoft puts it's customers
SK> clearly at risk.


SK> The unhappy end:

SK> * Start with a fully patched Windows XP with Service Pack 3 AND the
SK>   current Adobe Flash Player ActiveX v10.0r22.87 installed.

SK>   Since recent Flash Player installers remove any older versions of the
SK>   ActiveX control this means that neither FLASH.OCX nor SWFLASH.OCX are
SK>   present in %SystemRoot%\System32\Macromed\ or
SK>   %SystemRoot%\System32\Macromed\Flash\

SK> * Install an arbitrary software product that installs a Flash Player
SK>   ActiveX prior to 6.0r88 (there are MANY software products that do so).

SK>   For example, get the current MSN CD-ROM "MSN 9.6-PROD", part no.
SK>   X14-85160-02 DE from Microsoft; this CD-ROM contains the product
SK>   "Digital Image Standard Edition 2006" v11.1 from 2007-01-29, which
SK>   installs an outdated and VULNERABLE FLASH.OCX v6.0r29 to
SK>   %SystemRoot%\System32\Macromed\!

SK>   Note that the installer was created AFTER KB923789, which but was not
SK>   incorporated. Does Microsoft really care about security?

SK>   If you dont want to order the MSN CD-ROM a trial version of "Digital
SK>   Image Starter Edition 2006" is available from
SK>  
SK> 
<http://www.microsoft.com/downloads/details.aspx?FamilyID=7c3b3ded-a15f-48c5-b724-7796fe8c151e>

SK>   If you dont want to install such a big product either, get the
SK>   Windows Update KB913433 from
SK>  
SK> 
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B2B8F9A8-4874-405A-9F0C-768B2631673A>
SK>   extract the Flash Player ActiveX installer INSTALL_FP6_WU.EXE from
SK>   the package and run the installer.

SK>   The attempt to install a Flash Player ActiveX prior to 6.0r88 over a
SK>   later version does not YET any harm, since starting with 6.0r88 Adobe
SK>   sets deny ACLs on the
SK> %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX
SK>   as well as all the registry entries which prevent earlier Flash Player
SK>   ActiveX installers to overwrite them, so any Flash Player ActiveX
SK>   6.0r88 and later is preserved.

SK>   Any of the above mentioned products but installs the previously not
SK>   existent file %SystemRoot%\System32\Macromed\Flash\FLASH*.OCX

SK> * Visit <http://windowsupdate.microsoft.com/> (or wait till the daily
SK>   run of the Automatic Update) and install the Windows Update KB923789.

SK>   This but DOES harm: since the Flash Player ActiveX installer that has
SK>   been wrapped in KB923789 (re-)sets the ACLs it overwrites the registry
SK>   entries of the newer/recent Flash Player ActiveX. DAMAGE DONE!


SK> I informed Microsoft in the last two years several times about this
SK> problem and discussed it with various members of their Microsoft Security
SK> Response Center, but the problem persists.


SK> Stefan Kanthak


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Âïðî÷åì, âàæíåå âñåãî - àëãîðèòì!  (Ëåì)