Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: False negative: Adobe Flash Player 11.x detected as patched, but ...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
mtodorov False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Member 22nd Feb, 2012 14:57
Ranking: 12
Posts: 166
User Since: 20th Mar, 2009
System Score: N/A
Location: HR
Last edited on 22nd Feb, 2012 14:58

I have already reported this in other thread (http://secunia.com/community/forum/thread/show/121...), but now I am positive this is false negative, and people likely have vulnerable machines.

So, to repeat,

Adobe Flash Player NPAPI 11.1.102.62
Adobe Flash Player ActiveX 11.1.102.55

But report in "Scan Results" is Patched.

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><

Maurice Joyce RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Handling Contributor 22nd Feb, 2012 15:50
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 22nd Feb, 2012 17:05
Once U fully understand how PSI works it U will discover it is NOT a false negative. To some it may not be presented as they would like it but that DOES NOT MEAN IT IS A FALSE NEGATIVE.

For those who may be mislead by this irrelevant thread this is what PSI does in respect of programmes that are present on a system THAT ARE FULLY PATCHED BY THE USER.

1. It will present the fact it is FULLY PATCHED - that does NOT IMPLY it is free from a VULNERABILITY. To further help users in this situation Secunia clearly give notice to users:
a. By use of the Advisory Section - in this instance the detail is here:
http://secunia.com/advisories/47161/
b. By allowing everyone to receive emails with details of vulnerabilities.

2. Advanced users have an option to check the Secure Browsing Section where it shows more facts including, in this instance, that the IT world are waiting for Adobe to get their act together & produce a long lasting SECURE version of Flash.

At the current time users have two options.

1. Remove Flash completely.

2. Continue to use Flash but CONTROL its behaviour as described in the Advisory.

"Solution
Do not browse untrusted sites or disable the player."


PSI are not unique in showing FLASH as fully patched. Qualy's (another leader in the vulnerability world) show exactly the same detail. If U want to retest your browser security the link is here:

QUALYS BROWSER CHECK

If U want a second opinion of your browser(s) security state U can use this tool.

Details of how it works are here:
https://community.qualys.com/docs/DOC-1542#s2_q7

The FAQ & how it works should be read prior to any scanning. For example,if you use more than one browser U must use the scanner on EACH browser. It only supports IE,Firefox & Google.

The scanner is here:
https://browsercheck.qualys.com/

Update 1 22:00 04/11/2011





--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+8
-0
Anthony Wells RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Expert Contributor 22nd Feb, 2012 17:52
Score: 2428
Posts: 3,317
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

In the "other" thread the e.ocx is described as being displayed as a "zombie" detection and no mention is made of the f.ocx which should display if the IE ActiveX was correctly updated to version 11.1.102.62 version .

Exactly which files are contained in the ..\SysWOW64\Macromed\.. folder ?? (mentioned as :-

C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll, version 11.1.102.62 (NPAPI)
C:\Windows\SysWOW64\Macromed\Flash\Flash11e.ocx, version 11.1.102.55 (ActiveX)

I do seem to remember that SysWOW64 files have given detection problems in the PSI before .

Anthony


--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+3
-0
ddmarshall RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Dedicated Contributor 22nd Feb, 2012 20:03
Score: 1205
Posts: 957
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I agree with mtodorov.

This seems to be a side effect of the amalgamation of the entries for the Flash Player plugin and the Flash Player ActiveX into one entry. The plugin has been updated but the ActiveX has not. The scan then treats the ActiveX as a zombie although there is no newer version installed.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+3
-0
Maurice Joyce RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Handling Contributor 22nd Feb, 2012 21:26
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Agreeing or not agreeing does not answer the question on the way PSI describes Flash for ALL Windows users.

If there is a bug issue with 64 Bit systems with multi browsers that should be reported as explained in the FAQ. There is no indication that has been done by anyone affected.

This thread indicates there is a universal false negative with Flash reporting. That is not the case.

Many use 32 Bit systems who do not have a WOW folder & a zombie file is not created in WOW on Windows7 64 Bit system using only IE if Flash is installed correctly.

On that basis, to create a thread indicating that there is a universal FALSE positive is bunkum.

The statement made on the other thread is also misleading in that it implies Secunia are responsible for updating Flash as follows:

"Misleading is that it says "zero vulnerable programs", despite not patching ActiveX control with a "hole that is gaping".

FALSE NEGATIVE.


Secunia do not make any alterations to any OS & only provide links by whatever means to fix it from the vendor. In this instance there is no link - Flash is vulnerable - full stop.









--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
mtodorov RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Member 22nd Feb, 2012 22:05
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
on 22nd Feb, 2012 21:26, Maurice Joyce wrote:
Agreeing or not agreeing does not answer the question on the way PSI describes Flash for ALL Windows users.

If there is a bug issue with 64 Bit systems with multi browsers that should be reported as explained in the FAQ. There is no indication that has been done by anyone affected.

This thread indicates there is a universal false negative with Flash reporting. That is not the case.

Many use 32 Bit systems who do not have a WOW folder & a zombie file is not created in WOW on Windows7 64 Bit system using only IE if Flash is installed correctly.

On that basis, to create a thread indicating that there is a universal FALSE positive is bunkum.

The statement made on the other thread is also misleading in that it implies Secunia are responsible for updating Flash as follows:

"Misleading is that it says "zero vulnerable programs", despite not patching ActiveX control with a "hole that is gaping".

FALSE NEGATIVE.


Secunia do not make any alterations to any OS & only provide links by whatever means to fix it from the vendor. In this instance there is no link - Flash is vulnerable - full stop.


No such intent was made by my report of the problem, Mr. Joyce. I am trying to look positive and constructive, towards helping make PSI better. In no aspect or a mere thought didn't occur to demean excellent Secunia PSI tool and incredible job of examining vulnerabilities of several thousand programs and software products. Nor did I demean discussion participants. In the end, if this is offence to you, Mr. Joyce, I could keep this issue boxed. Or we could do the right thing and if I could have the honor of helping make PSI make the right thing.

I am myself a programmer, and I recognize my own software has bugs. Therefore I don't mean that programmers are stupid or incompetent if a bug occurs, rest assured.

I am sorry if I sounded victorious in conclusion that it is false negative, but I sort of compete with myself in finding bugs. This is the hacker in me. No offence intended. And especially, nothing personal against you or valuable Secunia professionals. You are in my prayers and your well-being is my first prerogative and if I was haughty and disdainful this is sin where I go Sundays.

In the end there is a Chinese proverb that says "telling it makes you look like a fool for five minutes, keeping it in makes you a fool for life".

Have a nice remainder of day.
Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
Maurice Joyce RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Handling Contributor 22nd Feb, 2012 23:07
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
You really need to re read what I have written. U may well have found a minor bug with a 64 Bit system when reporting multi use browsers (which is excellent news if proven).

That is not what your thread states. It implies that PSI is issuing a Flash false negative for ALL windows users with NO MENTION of the word bug if used UNDER CERTAIN CIRCUMSTANCES.

Bug reporting is best conducted as advised by Secunia in their FAQ or if the Forum is used the header clearly explains it is a bug report & the same bug format is used as requested in the FAQ.

As for improving PSI, some of us are not so vain as to continually publish our IT expertise to the Forum.

Better to write to Secunia - U will find, as I have, that they are very accommodating in accepting changes provided the Justification of Requirement is fully met.

Only Secunia knows how many submissions I have made for possible improvements. I prefer to keep it that way & my level of expertise!!










--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
Anthony Wells RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Expert Contributor 22nd Feb, 2012 23:44
Score: 2428
Posts: 3,317
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 22nd Feb, 2012 23:45
Hi again ,

I would still like to know which files are in the SysWOW64 Macromed folder ; if there is a full set of ActiveX version 11.1.102.55 files then reporting e.ocx as a "zombie when it is actually "insecure" is a fault/bug/false negative/positive or whatever you wish to call it . If there is only the e.ocx file then the PSI may have decided to call it a "zombie" even if the patched version .62 has not (correctly) installed .

The "secure browsing" aspect is not relevant , in my opinion .

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mtodorov RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Member 22nd Feb, 2012 23:54
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
Yes, besides, I had also a problem with Secunia PSI auto update, which left NPAPI Flash plugin zombified and not patched.

(unknown source)

Adobe Flash Player 11.x 2 Patched - 11.1.102.62 (ActiveX) 11.1.102.62 (ActiveX) Up-to-date (AU)

Detected Instances:
C:\WINDOWS\system32\Macromed\Flash\Flash11f.ocx, version 11.1.102.62 (ActiveX)
C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll, version 11.1.102.55 (NPAPI)

You can double click this row for additional information and options.


Tomorrow I will attempt to file a proper bug report, but somehow rulesets were changed by Mr. E.Petersen based on report on this forum. No offence meant, Mr. Joyce, I am proud of being able to make PSI better. In fact, I am fond of PSI. There cannot be emphasized strong enough what a difference this too makes for administration of vulnerable program. I hate to flatter, I said this only because you seemed as if defending against unhealthy criticism, and you may even be right, but my basic attitude that PSI is good software that does a great job.

It is nothing personal. We all want to make PSI better, right?

Regards,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+0
-0
Anthony Wells RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Expert Contributor 23rd Feb, 2012 00:12
Score: 2428
Posts: 3,317
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Helo mt ,

So now you are telling us that you have exactly the opposite situation in your System32 Macromed folder .

Unless you list the actual files installed in the SysWOW (already requested) and now the System32 folder you are not helping yourself and certainly not me to detect whether there is a bug or not .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Handling Contributor 23rd Feb, 2012 00:19
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Anthony,
On a 64 Bit system the files are located in 2 areas if the users wants all aspects to work.

Not sure my pictorial helps in that they only reflect one browser being installed?

https://skydrive.live.com/?cid=e9ea368cbd08adb3#ci...

https://skydrive.live.com/?cid=e9ea368cbd08adb3#ci...

Click the picture to make it look slightly larger or click Original View for best result.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Expert Contributor 23rd Feb, 2012 00:47
Score: 2428
Posts: 3,317
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Thanks Maurice . I was aware that there were two folders on a 64 bit system , but your caps make that quite clear . I have the same System32 ActiveX files and the NPAPI plug-in adds 3 more files plus an .xpt file (whatever that might be) ; so I would guess something very similar would happen in the SysWOW folder .

What on earth mt has on his system only he can tell us and whether the PSI display should read "insecure" or "zombie" in either case .

The fact that there is an overlying discrepancy between WOW and 32 and that the Adobe updater and the PSI auto-update both "failed" might have combined to produce this anomaly and hence this end result .

That's me for today , will try to check back tomorrow .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Maurice Joyce RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Handling Contributor 23rd Feb, 2012 00:55
Score: 11626
Posts: 8,915
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Anthony,
I agree. Details on .xpt
http://www.fileinfo.com/extension/xpt

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mtodorov RE: False negative: Adobe Flash Player 11.x detected as patched, but ActiveX control is 11.1.102.55
Member 23rd Feb, 2012 08:41
Score: 12
Posts: 166
User Since: 20th Mar 2009
System Score: N/A
Location: HR
on 23rd Feb, 2012 00:12, Anthony Wells wrote:
Helo mt ,

So now you are telling us that you have exactly the opposite situation in your System32 Macromed folder .

Unless you list the actual files installed in the SysWOW (already requested) and now the System32 folder you are not helping yourself and certainly not me to detect whether there is a bug or not .

Anthony


Hi, Anthony. It is exactly so. On my XP 32-bit machine the situation is exactly opposite (NPAPI is *.55 and ActiveX is up to date since I used internal PSI auto-update), while on Windows 7 64-bit tin I used Adobe's native Flash upgrade tool that appeared on startup and didn't patch ActiveX for some reason.

PSI happily reported it as a "zombie" installation, but it was the only NPSWF32.dll, not the old one out of two.

PSI 2.0.0.4003 reports both grouped as "Patched". This is the problem for the unwary - both or now all four players need to be checked (ActiveX and NPAPI, 32-bit and 64-bit).

AND operation needs to be performed on components to proclaim Flash patched, not OR.

It is a flaw in PSI logic.

You have completely discouraged me from filing a bug report. Only @ddmarshall was supportive, so it is 2 : 1 for not reporting.

Cheers,
mt


--
"If a task is worth doing, it is worth doing right. If it is not worth doing well, it is not worth doing." -- Dr. Jack Hyles
<><
Was this reply relevant?
+2
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability