Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Adobe Flash Player Unspecified Code Execution Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Adobe Flash Player Unspecified Code Execution Vulnerability

Secunia Adobe Flash Player Unspecified Code Execution Vulnerability
Secunia Official 23rd Jan, 2013 22:06
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error. No further information is currently available.

Successful exploitation allows execution of arbitrary code.

The vulnerability is reported in version 11.1.102.55. Other versions may also be affected.

gregorio2 RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Member 23rd Jan, 2013 22:06
Score: 2
Posts: 14
User Since: 20th Jan 2009
System Score: N/A
Location: US
Last edited on 23rd Jan, 2013 22:06
Secunia Advisory SA47161 is now over a year old with neither CVE, Secunia, Adobe, or Immunity providing any updates.
At some point, already past, this reflects reflects badly on all parties. Yes, it reflects badly on CVE and Secunia, because
for all the public knows, this vulnerability may or may not have ever existed or it may have been fixed by updates, and yet you
continue to report on it without further input.
I find this quite baffling and sad.
At some point you could have posted another security firm's comment, surely you did reach out. The last comment at CVE is also over year old.
Hoping it does not take another year for the status on this advisory to change.
Was this reply relevant?
+2
-0
E.Jeppesen RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Secunia Official 28th Jan, 2013 09:50
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Thank you for your input. I am sure however that any relevant information will be added to the advisory when available, including information about a patch if/when Adobe releases it.
ParzivalRM RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Member 8th Aug, 2013 13:00
Score: 13
Posts: 41
User Since: 15th May 2010
System Score: N/A
Location: AU
Last edited on 8th Aug, 2013 13:00
This reply was unsatisfactory when it was posted --- "Trust the experts, they know what's best" --- and it is even more unsatisfactory now, seven months later. Surely Secunia can provide us with some update to the information after we have gone nearly two years seeing a constant level 4 vulnerability reported in our browsers?
Was this reply relevant?
+0
-0
E.Jeppesen RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Secunia Official 19th Aug, 2013 13:06
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Sorry for the late reply. I have been in contact with our researchers who have confirmed that they currently do not have any additional information about the patch status from the vendor and therefore will not update the advisory at this point.
ky331 RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Member 24th Aug, 2013 12:04
Score: -1
Posts: 10
User Since: 4th Apr 2008
System Score: N/A
Location: US
Unless I'm mistaken, under the Secure Browsing tab,

PSI 1.x is citing this Flash vulnerability 47161 as Insecure, No Solution (in each browser); whereas
PSI 2.x is NOT making any such objection... the same browsers (with Flash) are deemed secure.

What is the explanation for this? Does it add any information to the picture???

P.S. Yes, I realize that both PSI versions mentioned are old... very old, in fact... and one can argue they should be updated to the current version. But that's not the point of this post. Both old versions are still functioning, working nicely on my systems, but offering conflicting information about the same Flash product. I would hope you would address just the Flash aspect... without saying more about the need to update the PSI.

Was this reply relevant?
+0
-0
mogs RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 13:03
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@kv331

All versions of psi use the same scanning engine....the differences are oft in the presentation of the information detected.
I don't use Adobe Flash except that integral with Chrome....so can't be overly specific 'bout your findings....but I think you may be interpreting "not shown" as "secure".
Of the psi 2.0 versions....psi 2.0.0.3003 offers the most comprehensive Secure Browsing features....if my memory serves me well....the others are incomplete.

Hope it helps.....mogs.....

--
Was this reply relevant?
+0
-0
ky331 RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Member 24th Aug, 2013 13:29
Score: -1
Posts: 10
User Since: 4th Apr 2008
System Score: N/A
Location: US
I think you may be interpreting "not shown" as "secure".

Absolutely. I was taking lack of citation of a problem to mean there was no problem there... especially since I took for granted the various PSI versions WERE using the same database... meaning that the problem WAS known.

If you're saying that the 2.x series are at fault for omission of vulnerabilities, yes, that would explain the "contradiction" here... but also begs the question WHY the 2.x series was/is so defective in its analysis.
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 18:25
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

No one is forced to update to version 3.x whilst versions 1.x and 2.x are "fully" supported - although some "bugs" in the earlier versions may fall behind while Secunia try to get version 3.x to work properly - still rather work in progress . Even then , the various platforms of the PSI have different target audiences .

I use version 2.0.0.3003 and it currently shows NPAPI Flash plug-in as "unpatched , no vendor solution" for Google Chrome Stable browser and Mozilla Firefox Release Channel browser ; both browsers are shown as "Not secure for browsing" - other plug-ins , also apply .

I do not have the Flash ActiveX plug-in installed in IE8 which is "Not secure for Browsing" for it's own inherent vulnerability .

As Mogs has said some other versions have different "Secure Browsing" displays or are less complete . This is a known situation but I was not aware of them not currently displaying Flash correctly ; however , there is also a long history of the plug-ins coming and going and coming back in an aleatory fashion .

Which versions of the PSI 1.x 2.x and Flash are involved on which machine/system .

@wr stil uses the PSI 1.5.0.2 so he might be able to comment if he passes by .

Secunia support do not work on the PSI at weekends , so you will need to wait for their input until Monday next at best .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
ky331 RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Member 24th Aug, 2013 18:54
Score: -1
Posts: 10
User Since: 4th Apr 2008
System Score: N/A
Location: US
On both systems, Flash is current at 11.8.800.94

On my Win7x64 Pro SP1 system, I am using PSI 1.5.0.2, which is showing this Flash version as being patched; yet, it's listed as "insecure, no solution" (SA47161) for browsing under IE10 and Firefox 23.

On my wife's (32-bit) Win XP SP3 system, we have PSI 2.0.0.4003, which is likewise showing this version of Flash as being patched; but, as noted by one of the participants above, there is no mention of it whatsoever under the secure browsing tab (not under IE8, not under FF23, not under Opera 12). So, without a Flash "problem" to report, it's asserting that both FF and Opera are secure for browsing. IE, of course, is insecure by itself.

Hope this helps clarify the situation.

Was this reply relevant?
+0
-0
mogs RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 19:21
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@ Anthony

Thanks for your further elaboration/explanation.....but, is that right ?..............
I use version 2.0.0.3003 and it currently shows NPAPI Flash plug-in as "unpatched , no vendor solution" for Google Chrome Stable browser and Mozilla Firefox Release Channel browser ; both browsers are shown as "Not secure for browsing"

I'm running psi 2.0.0.3003 with Chrome Stable 29.0.1547.57....Flash PPAPI 11.8.800.115 plug-in..........showing as Secure for Browsing....I take it you have altered for yourself the original ?

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 19:33
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Yes , that is quite clear . Thanks .

The PSI version 2.0.0.4003 is known to display a lesser number of plug-ins than 2.0.0.3003 in Secure Browsing but , AFAIK , Flash should be displayed . However , as I said above , there are known display problems with Flash from time time . This may be one of those times when 2.0.0.4003 has been singled out for idiosyncratic treatment .

If Emil J. does not pick this up on Monday next (CET) then I would point out your "bug" to him by email to support@secunia.com and reference this thread .

Enjoy your weekend - blame me for not sorting the wife's problem .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 19:37
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@kv331

You might find the following of use....Qualys Browser Check

Browser Check Complete
Congratulations! You passed Qualys BrowserCheck.
We recommend you scan your browser regularly to stay up to date with the latest versions and plugins.

https://browsercheck.qualys.com/?scan_type=js

I've occasionally found the odd discrepancy in detections...or rather my interpretation of them (!).with it's use.

Hope it's of help.....regards.....mogs....

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 19:54
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Mogs ,

Your display (to which you refer) is PPAPI which is Google Chrome's own Pepper Flash and updates silently . It numbers differently to NPAPI much of the time . You do not have NPAPI installed , as I remember .

I was only referring to the NPAPI problem as posted which is the Mozilla and others Flash plug-in : it is picked up by all Chrome channels (when loaded) and found in "Settings" ---->plug-ins . It shows in both my Frame Stable and Dev Channel browser installations . NPAPI latest installed version is 11.8.800.94 but of course only appears for me in the Secure Browsing because of Frame . No Dev Channel .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 20:10
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Anthony

Yes...thanks....that's quite clear....I thought it might be of use; inasmuch that some readers might have interpreted Chrome Stable as being insecure, from the statement.
I'm managing without Dev and Canary at the moment....some minor withdrawal symptoms persist..tho' adequate compensation with 29 in the endless search for equilibrium !! Ha!

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 20:37
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Mogs ,

At the risk of complicating the discussion , it is most likely that Chrome's PPAPI is subject to the same SA as the NPAPI ; the fact that it is "sandboxed" by Google Chrome and you supposedly cannot get at it may have caused Secunia to ignore it , it may have slipped by them or it genuinely is not vulnerable .

Perhaps Emil can clarify the situation .

I wonder what Secunia say about the flash plug-in embedded in IE10 . Again , i would guess it is subject to the same old SA !! But what do I know .

Things to do .

Yaki Da .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 20:50
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Anthony

Thanks again....hence my reason for referring to Qualys....it does actually show my referred-to plug-in 11.8.800.115 as being up to date.....





--
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 21:49
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Mogs ,

I do not see your point , you seem to be confusing Qualys "up to date" and "secure for browsing" . Qualys' shows the same reading as the PSI's "Scan Results" module .

Qualys shows my Google Chrome Dev Channel PPAPI 11.8.800.129 as "up to date" and does not display the NPAPI .

It shows my Firefox NPAPI 11.8.800.94 also as being "up to date" which my PSI 2.0.03003 shows as "no solution" in "Secure browsing" whilst @ky331's wife's 2.0.0.4003 does not ; the point of my posts .

The VLC plug-in mirrors this situation .

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Expert Contributor 24th Aug, 2013 22:17
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Anthony

I don't have the "advantage" at present of having alternative browsers to compare...other than IE9....As you stated earlier...the discussion could become overly complicated....No, I'm not getting confused....Chrome is shown as Secure for browsing with Secunia and up to date with Qualys....in the light of your comments, I think I'll disable Adobe until confirmation of it's status is made clear.

--
Was this reply relevant?
+0
-0
E.Jeppesen RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Secunia Official 26th Aug, 2013 09:07
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Thank you all for your input. The lacking detections in the Secure Browsing feature in PSI 2 is a known issue that has already been reported to our developers.

@ky331
Would you mind sending a few screenshots to support@secunia.com? A screenshot of your secure browsing page in PSI 1 and 2, showing the inconsistency, will be appreciated. I will then add the screenshots to our bug report.
ky331 RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Member 26th Aug, 2013 13:22
Score: -1
Posts: 10
User Since: 4th Apr 2008
System Score: N/A
Location: US
Sreenshots have been e-mailed per your request.
Was this reply relevant?
+0
-0
E.Jeppesen RE: Adobe Flash Player Unspecified Code Execution Vulnerability
Secunia Official 26th Aug, 2013 13:28
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
@ky331
Thank you very much. I have now used your screenshots to update our bug report.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability