IIRC Microsoft's reasoning for not shipping SP3 with a newer version was that their license for flash only covered the older version that they include in the update. Personally I'd have rather seen them not include the file at all if it wasn't the most recent release, which really wouldn't have helped in this case with the most recent at the time of the SP3 release being exploitable.
Dave Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yes, you read that correctly: > > "It appears that XP service pack 3 installs an older vulnerable > version of the flash player, causing those systems to be vulnerable > to these vulnerabilities." > > More: > http://isc.sans.org/diary.html?storyid=4513 > > Why is this important? Lots and lots of malicious Flash [.swf] > exploits: > > http://blog.trendmicro.com/flash-bugs-exploited-in-latest-mass-compromise/ > > The latest news on this is that the latest version of Flash > (9.0.124.0) is not vulnerable to these exploits... > > - - ferg > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFIRGjTq1pz9mNUZTMRAkNGAKDsiLkn1Gzto3Mq/Jful60/5mJCQwCdHadQ > PokqwkDUrvn3tKSMpYRpYeA= > =Uw89 > -----END PGP SIGNATURE----- > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
