Microsoft's writeup in their advisory is vague about what versions are involved. I installed the update on an SP3 system running Flash 8.0.24.0 and got an error back that the update was not a proper version for the Flash I was running, or something like that.
I went to the Flash site and installed the current (9.0.124.0) version. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Nelson Sent: Monday, June 02, 2008 6:26 PM To: Paul Ferguson Cc: [email protected] Subject: Re: [funsec] XP SP3 Installs Older,Vulnerable Version of Flash Player IIRC Microsoft's reasoning for not shipping SP3 with a newer version was that their license for flash only covered the older version that they include in the update. Personally I'd have rather seen them not include the file at all if it wasn't the most recent release, which really wouldn't have helped in this case with the most recent at the time of the SP3 release being exploitable. Dave Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yes, you read that correctly: > > "It appears that XP service pack 3 installs an older vulnerable > version of the flash player, causing those systems to be vulnerable > to these vulnerabilities." > > More: > http://isc.sans.org/diary.html?storyid=4513 > > Why is this important? Lots and lots of malicious Flash [.swf] > exploits: > > http://blog.trendmicro.com/flash-bugs-exploited-in-latest-mass-compromis e/ > > The latest news on this is that the latest version of Flash > (9.0.124.0) is not vulnerable to these exploits... > > - - ferg > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFIRGjTq1pz9mNUZTMRAkNGAKDsiLkn1Gzto3Mq/Jful60/5mJCQwCdHadQ > PokqwkDUrvn3tKSMpYRpYeA= > =Uw89 > -----END PGP SIGNATURE----- > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
