SUMware
Premium
join:2002-05-21
1 edit | reply to bcastner
Re: After XP SP3 Install - Check Flash Player Version
Right, understand it now! Thanks again. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
1 edit | reply to SUMware
It does not remove or replace anything. That was the original guess being made, and it is the factual point in error about this issue.
XP SP3 does nothing to the Flash status as existed prior to its installation. It ensures that the Flash status, at least the portion that was in the SP2 distribution, is as it was for SP2. However, it will not effect a computer with a Flash update. It will not add anything that SP2 did not. It will not expose a vulenerability because there is an older version of Flash.ocx available; the issue is not unique to XP SP3 -- if there has been no updates to the computer since SP2 -- including the Hotfix above, your risk exposure is identical to the state of your system prior to installing XP SP3. And if you have updated Flash, it does not change the risk exposure by installation. Previous OCX versions are not callable under Flash if later versions are installed.
Let's not invent a vulnerability where non exists. Let's use this as a useful reminder for those who do not update Flash, or do not wish to use it, to take steps -- the Hotfix, the uninstaller from Adobe, or turning it OFF formally -- to make sure their systems are secure. But no additional securiy surface in regards to Flash is exposed by the XP SP3 installation. The Hotfix notes quoted above were the same as issued with XP SP2; revised only to suggest that if you have done nothing -- no Hotfix, no Flash Update -- then the same warning applies as it did several years ago.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
SUMware
Premium
join:2002-05-21
1 edit | reply to bcastner
Guess I'm confused...
From »www.microsoft.com/technet/securi···069.mspx
said by Microsoft :
Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition.
Why was this Bulletin revised on May 13, 2008?
This bulletin was revised to add Windows XP Service Pack 3 as affected software. This is a detection update only. There were no changes to the binaries, since the same update for Windows XP Service Pack 2 and Windows XP Professional x64 Edition applies to Windows XP Service Pack 3. Customers with Windows XP Service Pack 2 and Windows XP Professional x64 Edition who have already installed the security update will not need to reinstall the update. Customers with Windows XP Service Pack 3 should apply the update immediately.
According to MS this seems to indicate that SP3 shipped with vulnerable Flash6.ocx files (6.0.79 or 6.0.88 ?) that removed, then replaced, the user's file. Thus after installing SP3 users need to apply the update.
Or am I interpreting this incorrectly?
Here's Donna Buenaventura main site to check for applicable updated information.
Edit: ocx file not needed. I think that I'm getting it now. Thanks Bill. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
3 edits | reply to SUMware
From discussions with her on a listsrerv over the weekend.
If you have updated Flash, there is no issue -- though make sure you have updated to the very latest verion of Flash 9.
If you do not have any Flash Update, then apply this Hotfix:
Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)
Published: November 14, 2006 | Updated: May 13, 2008
»www.microsoft.com/technet/securi···069.mspx
Or, turn Flash Off: »msmvps.com/blogs/harrywaldron/ar···e-8.aspx
Or, delete the flash.ocx file: »kb.adobe.com/selfservice/viewCon···liceId=2
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
SUMware
Premium
join:2002-05-21
| reply to bcastner
Thank you for the information.
said by bcastner  :This is a non-issue, as Donna Buenaventura now recognizes. Can you post a link to this... can't seem to find it. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to bcastner
said by bcastner : It is not registered, and cannot be called by a Flash application. Only your installed (newer) version is a registered and active component. Can then flash.ocx simply be deleted, as there is no need for it?
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
2 edits | reply to SUMware
This is a non-issue, as Donna Buenaventura now recognizes. The older Flash module was included in SP2 as well. It is not registered, and cannot be called by a Flash application. Only your installed (newer) version is a registered and active component.
This is not a parallel case to older and vulnerable Sun Java versions, where older and vulnerable versions were still available for exploit. |
|
