1 edit |
SUMware2
Premium Member
2008-Jun-2 10:29 am
After XP SP3 Install - Check Flash Player VersionFrom Donna's SecurityFlashJune 01, 2008 - said by Donna : One of my co-admin at Calendar of Updates forum is reporting that the Windows XP SP3 replaced the up-to-date flash.ocx (this is Flash Player's file and is located in C:\Windows\System32\Macromed\flash.ocx) with older version which is v6.
Users should make sure that their flash.ocx is the current version. You can run Secunia Software Inspector online or using the Secunia PSI to check what version of flash.ocx you got AFTER you've installed XP SP3.
You can also try to determine what version of Flash Player you have by going to "About Flash Player". You should see:
You have version 9,0,124,0 installed (this is currently the lastest version of Flash Player).
You can right-click also the flash.ocx located in System32\Macromed folder and check what version you got after installing SP3 of XP.
|
|
MagManLife is simpler when you tell the truth. Premium Member join:2003-10-01 Westlake, OH |
MagMan
Premium Member
2008-Jun-2 10:48 am
I have this version installed 10,0,1,218 now what? |
|
|
SUMware2
Premium Member
2008-Jun-2 11:05 am
Looks like you are running a beta version. |
|
bcastner MVM join:2002-09-25 Chevy Chase, MD 2 edits |
to SUMware2
This is a non-issue, as Donna Buenaventura now recognizes. The older Flash module was included in SP2 as well. It is not registered, and cannot be called by a Flash application. Only your installed (newer) version is a registered and active component.
This is not a parallel case to older and vulnerable Sun Java versions, where older and vulnerable versions were still available for exploit. |
|
MagManLife is simpler when you tell the truth. Premium Member join:2003-10-01 Westlake, OH |
to SUMware2
said by SUMware2:Looks like you are running a beta version. I knew that. |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
to bcastner
said by bcastner: It is not registered, and cannot be called by a Flash application. Only your installed (newer) version is a registered and active component. Can then flash.ocx simply be deleted, as there is no need for it? Cudni |
|
|
|
to bcastner
Thank you for the information. said by bcastner:This is a non-issue, as Donna Buenaventura now recognizes. Can you post a link to this... can't seem to find it. |
|
bcastner MVM join:2002-09-25 Chevy Chase, MD 3 edits |
From discussions with her on a listsrerv over the weekend. If you have updated Flash, there is no issue -- though make sure you have updated to the very latest verion of Flash 9. If you do not have any Flash Update, then apply this Hotfix: Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)Published: November 14, 2006 | Updated: May 13, 2008 » www.microsoft.com/techne ··· 069.mspxOr, turn Flash Off: » msmvps.com/blogs/harrywa ··· e-8.aspxOr, delete the flash.ocx file: » kb.adobe.com/selfservice ··· liceId=2 |
|
almex Premium Member join:2001-09-18 Chandler, AZ |
to SUMware2
Not to sound terribly paranoid, but why is a Microsoft update messing with Macromedia/Adobe files in the first place? |
|
redxii Mod join:2001-02-26 Michigan |
to SUMware2
I have 9,0,124 on a fresh install |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire |
to almex
MS is not messing anything, that flash.ocx has no effect and can be removed. See bcastner 1st reply Cudni |
|
bcastner MVM join:2002-09-25 Chevy Chase, MD |
to almex
It not messing with anything that it does not have a valid license for, and for which it has distributed since SP2. At the time Macromedia was anxious to move everyone behind Flash and away from earlier methods to show this type of content.
It is a non-issue if you have updated Flash. If you have not updated flash, see the Hotfix link earlier; or update Flash; or Uninstall it. |
|
1 edit |
to bcastner
Guess I'm confused... From » www.microsoft.com/techne ··· 069.mspxsaid by Microsoft : Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition.
Why was this Bulletin revised on May 13, 2008? This bulletin was revised to add Windows XP Service Pack 3 as affected software. This is a detection update only. There were no changes to the binaries, since the same update for Windows XP Service Pack 2 and Windows XP Professional x64 Edition applies to Windows XP Service Pack 3. Customers with Windows XP Service Pack 2 and Windows XP Professional x64 Edition who have already installed the security update will not need to reinstall the update. Customers with Windows XP Service Pack 3 should apply the update immediately.
According to MS this seems to indicate that SP3 shipped with vulnerable Flash6.ocx files (6.0.79 or 6.0.88 ?) that removed, then replaced, the user's file. Thus after installing SP3 users need to apply the update. Or am I interpreting this incorrectly? Here's Donna Buenaventura main site to check for applicable updated information. Edit: ocx file not needed. I think that I'm getting it now. Thanks Bill. |
|
bcastner MVM join:2002-09-25 Chevy Chase, MD 1 edit
1 recommendation |
It does not remove or replace anything. That was the original guess being made, and it is the factual point in error about this issue.
XP SP3 does nothing to the Flash status as existed prior to its installation. It ensures that the Flash status, at least the portion that was in the SP2 distribution, is as it was for SP2. However, it will not effect a computer with a Flash update. It will not add anything that SP2 did not. It will not expose a vulenerability because there is an older version of Flash.ocx available; the issue is not unique to XP SP3 -- if there has been no updates to the computer since SP2 -- including the Hotfix above, your risk exposure is identical to the state of your system prior to installing XP SP3. And if you have updated Flash, it does not change the risk exposure by installation. Previous OCX versions are not callable under Flash if later versions are installed.
Let's not invent a vulnerability where non exists. Let's use this as a useful reminder for those who do not update Flash, or do not wish to use it, to take steps -- the Hotfix, the uninstaller from Adobe, or turning it OFF formally -- to make sure their systems are secure. But no additional securiy surface in regards to Flash is exposed by the XP SP3 installation. The Hotfix notes quoted above were the same as issued with XP SP2; revised only to suggest that if you have done nothing -- no Hotfix, no Flash Update -- then the same warning applies as it did several years ago. |
|
1 edit |
SUMware2
Premium Member
2008-Jun-2 1:52 pm
Right, understand it now! Thanks again. |
|