Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Adobe CS3 Flash plugin vuln dissapeared

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
mtodorov2 Adobe CS3 Flash plugin vuln dissapeared
Member 26th Oct, 2009 13:33
Ranking: 1
Posts: 14
User Since: 26th Oct, 2009
System Score: N/A
Location: N/A
Hi,

Few weeks ago there were several "vulnerable" instances of Flash General Plug-In 9.0.45.0 (if I remember well) and NPSWF32.dll in Adobe CS3 full installation.

It seems to have been six instances of this plugin, even after full update of CS3.

Most notable is C:\WINDOWS\system32\NPSWF32.dll

All of them have disappeared. True, C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll has truly gone after uninstall/install 10.0.32.18 General Plug-in, but system32 instance is still in C:\WINDOWS\system32, version 9.0.45.0, and no vulnerability is shown.

C:\Program Files\Adobe\...\NPSWF32.dll are all still 9.0.45.0.

Is it a problem with new inspection rules, or what could it be?

Thanks,
MT

M.Hansen RE: Adobe CS3 Flash plugin vuln dissapeared
Secunia Official 26th Oct, 2009 14:11
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi MT,

Thanks for the report.

It is very likely that some of your previous detected Adobe Flash "installations" have been removed from the Secunia PSI interface. This is due to a change in our rules for Adobe Flash Player, which previously detected all versions regardless of the files position/installation path.

Generally speaking, the Secunia PSI should only report missing security patches, which can be resolved through the official means/patches available from the vendors. Thus in a scenario where a vulnerable version of the Adobe Flash Player is included in a third party program (or in this case, Adobe's own products), the Secunia PSI should as such not report them, until a general security patch (if required) is available from the vendor of the program distributing the Adobe Flash Player together with their software.

I am, however, curious about the version that you have in "C:\WINDOWS\system32\NPSWF32.dll" since this should not be the general installation path for the Adobe Flash Player. Usually, the plugins are placed in "C:\WINDOWS\system32\Macromed\Flash\". Do you by any chance know what program placed that file there, or if it was the official installer from Adobe, that did it?

Thanks in advance,

--
Kind regards,

Morten Hansen
Secunia PSI Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
Anthony Wells RE: Adobe CS3 Flash plugin vuln dissapeared
Expert Contributor 26th Oct, 2009 21:42
Score: 2437
Posts: 3,332
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 26th Oct, 2009 21:52
Hello Morten Hansen ,

It seems to be "catch 22/horns of a dilemma" situation where you show "real vulnerability holes/actual potential danger" in "secure" browsing when a patch is not available , but now have new rules for "ignoring" old/insecure versions of Flash (and presumably Shockwave v10 with it going to "out of date") according to location and/or difficulty in patching ; causing "insecure" versions not to be displayed , even though they could "presumably" carry some risk . IF there is no risk fine , but surely the security conscious Secunia user should be told if they are exposed to a risk and thereby allow him/her/it to choose a line of action** , as in "secure browsing" ; of whose value I was sceptical at first , but am now fully convinced.

I know it might seem overcomplicated , but then other people have suggested , in the past , that some kind of indication of the danger of files , according to location would help , say like you offer already with programme threat category and advisories.

Or perhaps, you could post some details of Secunia's knowledge concerning old versions of Flash in say programs like CS3 or Shockwave v10 , as it seems to be reloaded/demanded by a lot of web programmes .

Take care
Anthony

Edit**: contact the programme supplier , delete it , work around , extra precautions , etc.

Very bizarre , as I finished the Edit , the PSI balloon appeared and told me that Flash x2 and Air have just been removed ; was it something I said ??:o))

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mtodorov2 RE: Adobe CS3 Flash plugin vuln dissapeared
Member 28th Oct, 2009 08:27
Score: 1
Posts: 14
User Since: 26th Oct 2009
System Score: N/A
Location: N/A
on 26th Oct, 2009 14:11, M.Hansen wrote:
Hi MT,

Thanks for the report.

It is very likely that some of your previous detected Adobe Flash "installations" have been removed from the Secunia PSI interface. This is due to a change in our rules for Adobe Flash Player, which previously detected all versions regardless of the files position/installation path.

Generally speaking, the Secunia PSI should only report missing security patches, which can be resolved through the official means/patches available from the vendors. Thus in a scenario where a vulnerable version of the Adobe Flash Player is included in a third party program (or in this case, Adobe's own products), the Secunia PSI should as such not report them, until a general security patch (if required) is available from the vendor of the program distributing the Adobe Flash Player together with their software.

I am, however, curious about the version that you have in "C:\WINDOWS\system32\NPSWF32.dll" since this should not be the general installation path for the Adobe Flash Player. Usually, the plugins are placed in "C:\WINDOWS\system32\Macromed\Flash\". Do you by any chance know what program placed that file there, or if it was the official installer from Adobe, that did it?

Thanks in advance,



To my disappointment, I've been unable to trace where the C:\WINDOWS\system32\NPSWF32.dll came from. Uninstalling complete CS3 didn't remove it, but on the other hand it didn't remove a whole bunch in C:\Program Files either.

Was this reply relevant?
+0
-0
RTdev RE: Adobe CS3 Flash plugin vuln dissapeared
Member 28th Oct, 2009 14:34
Score: 7
Posts: 16
User Since: 27th Oct 2009
System Score: N/A
Location: N/A
Last edited on 28th Oct, 2009 22:32
I face the same problem, and i can add precious details about a fresh new system installation dated 17/08/2009.

The chronological installation consisted of the followings:
STEP 1:
- Partition formating.
- Windows XP Sp3 installation.
- Internet Explorer 8.0.6001.18702 + KB972260 + Privbar installation.
- Firefox 3.5.2 (17/08/2009) installation
- Flash Player Plugin 10.0.32.18 installation.
- Flash Playe ActiveX 10.0.32.18 installation.
...
- Kaspersky anti virus 9.0.0.463 installation.
- Secunia PSI 1.0.0.5 installation


STEP 2:
- connection to the internet
- kaspersky activation and update and customisation.
- Secunia analysis results:
>>> Insecure Programs: MSXML 6.x -> patched by SecurityUpdate-KB954459.
>>> Secure Browsing tab: IE8 is referred as "Insecure no solution".


STEP 3:
- Adobe CS3 installation.
- Secunia analysis results:
>>> Insecure Programs:
+ Apple Bonjour 1.x
1 Flash Player 9.x in C:\WINDOWS\system32\NPSWF32.dll v9,0,45,0
2 Flash Player 9.x in C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll v9,0,45,0
3 Flash Player 9.x in C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll v9,0,45,0
4 Flash Player 9.x in C:\Program Files\Adobe\Adobe Flash CS3\AIK\runtimes\air\win\Adobe AIR\Versions\1.0\NPSWF32.dll v9,0,45,0
5 Flash Player 9.x in C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Plugins\NPSWF32.dll v9.0.45.0
6 Flash Player 9.x in C:\Program Files\Adobe\Adobe Bridge CS3\browser\plugins\NPSWF32.dll v9,0,45,0
+ Macromedia Flash Player 6.x in C:\WINDOWS\system32\Macromed\Flash\flash.ocx v6,0,79,0
+ Adobe Acrobat 8.1.0 Professional
>>> Secure Browsing tab: IE8 is referred as "Insecure no solution".

So it appears clrearly that Adobe CS3 installs these multiples copies of NPSWF32.dll v9.0.45

STEP 4:
After Adobe CS3 automatic and manual update, Plus Flash Player uninstall then reinstall, the following files are still present:

1 C:\WINDOWS\system32\NPSWF32.dll v9,0,45,0
2 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll v10,0,32,18 (patched)
3 C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll gone away
4 C:\Program Files\Adobe\Adobe Flash CS3\AIK\runtimes\air\win\Adobe AIR\Versions\1.0\NPSWF32.dll v9,0,115,0 (imperfectly patched)
5 C:\Program Files\Adobe\Adobe Dreamweaver CS3\configuration\Plugins\NPSWF32.dll v9.0.45.0
6 C:\Program Files\Adobe\Adobe Bridge CS3\browser\plugins\NPSWF32.dll v9,0,45,0
+ C:\WINDOWS\system32\Macromed\Flash\flash.ocx v6,0,79,0
(+ C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe v9,0,45,0)
(+ C:\WINDOWS\system32\Macromed\Flash\FlDbg9c.ocx v9,0,45,0)

So the dangerous files are installed by Adobe CS3 and can't be patched neither by Adobe automatic nor manual updates.
Was this reply relevant?
+0
-0
RTdev RE: Adobe CS3 Flash plugin vuln dissapeared
Member 28th Oct, 2009 15:19
Score: 7
Posts: 16
User Since: 27th Oct 2009
System Score: N/A
Location: N/A
Last edited on 28th Oct, 2009 16:03
Today the warnings about the insecure copies of flash player 9,0,45,0 have desappeared from the secunia report.
But the dangerous files are still there.
For my concern:
I don't need one of these update-checkers that says if the version installed on my computer is the last up-to-date version or an old One.
I need a vulnerability-checker that says if the version installed on my computer is known vulnerable or not.
So ALL the insecure known files MUST be displayed as insecure.(either with or without solution)
Even if it doesn't please the editor.

Secunia is a very usefull vulnerability tracker.
I don't want secunia help hiding known vulnerabilities !!!
I hope it will become soon again as usefull as it was.

Phil.
Was this reply relevant?
+0
-0
mtodorov2 RE: Adobe CS3 Flash plugin vuln dissapeared
Member 28th Oct, 2009 16:02
Score: 1
Posts: 14
User Since: 26th Oct 2009
System Score: N/A
Location: N/A
I tend to agree with RTDev. Even when there was no official patch, occasionally there used to be a workaround available for the given vulnerability.

It is good, however, that Mozilla and IE8 are no longer shown as having high-rated vulnerability vectors if critically vulnerable plug-ins are not in their plug-in search path.

MT
Was this reply relevant?
+1
-0
mtodorov2 RE: Adobe CS3 Flash plugin vuln dissapeared
Member 29th Oct, 2009 17:09
Score: 1
Posts: 14
User Since: 26th Oct 2009
System Score: N/A
Location: N/A
To add what I failed to say clearly yesterday - thinking there are no vulnerabilities just because there are no official patches, when it is evident that there are vulnerabilities, that is false security.

It is completely different to not render browser vulnerable if thethreat is in C:\Program Files\Adobe\Adobe Bridge CS3\browser\plugins which is never scanned by Firefox or other browser. That is avoiding false alarms.
Was this reply relevant?
+1
-0
RTdev RE: Adobe CS3 Flash plugin vuln dissapeared
Member 30th Oct, 2009 09:44
Score: 7
Posts: 16
User Since: 27th Oct 2009
System Score: N/A
Location: N/A
Last edited on 30th Oct, 2009 10:17
Dear mtodorov2, your post is ambiguous. Could you, please clarify your position for me and the other readers.

For my concern,
IE8 in c:\Program Files\Internet Explorer, as well as
Firefox in c:\Program Files\Mozilla Firefox, as well as
Opera in c:\Program Files\Opera,
have never been shown insecure because of an insecure plugin in an exotic location (such as C:\Program Files\Adobe\... ).

But the dangerous copy, itself, of an insecure plugin MUST be repoted as insecure, even in an exotic location such as C:\Program Files\Adobe\... .

Was this reply relevant?
+0
-0
mtodorov2 RE: Adobe CS3 Flash plugin vuln dissapeared
Member 30th Oct, 2009 13:44
Score: 1
Posts: 14
User Since: 26th Oct 2009
System Score: N/A
Location: N/A
on 30th Oct, 2009 09:44, RTdev wrote:
Dear mtodorov2, your post is ambiguous. Could you, please clarify your position for me and the other readers.


Hi, RTdev,

I am sorry if I was not clear enough, I probably wanted to say too much at once. Mea culpa.

(unknown source)
For my concern,
IE8 in c:\Program Files\Internet Explorer, as well as
Firefox in c:\Program Files\Mozilla Firefox, as well as
Opera in c:\Program Files\Opera,
have never been shown insecure because of an insecure plugin in an exotic location (such as C:\Program Files\Adobe\... ).


This is not entirely correct. The IE8 and Firefox were indeed never shown vulnerable because of a plug-in in C:\Program Files\Adobe\..., except for the "Secure Browsing" tab. It reported an "attack vector" every known instance of Flash plug-in, AFAIR, even though Firefox installation never runs that instance of the Flash plug-in.

And also, if I remember good enough, rogue outdated Firefox installation on D:\ drive also made "Secure Browsing" shown Firefox vulnerable.

(unknown source)
But the dangerous copy, itself, of an insecure plugin MUST be repoted as insecure, even in an exotic location such as C:\Program Files\Adobe\... .


Yep. It can still be ran, for instance, by Adobe Dreamweaver CS3, and run the Dreamweaver's vulnerable copy of Flash plug-in. And in turn execute arbitrary code through the vulnerability.

But it is no longer so open and so exposed vulnerability such as exploitable by sites hacked and executing drive-by install of malicious content. It is no longer a browser vulnerability.

I hope I made myself clear this time.

So, with recent change of rules one good and one bad thing happened - there's no false alert in Secure Browsing section (tab) but (false negative) no alert is reported for vuln exploitable through Dreamweaver, or Adobe Bridge, or through C:\WINDOWS\system32\NPSWF32.dll instance of the 9.0.45.0 plug-in.

The latter depends, whether the architects want the PSI to be patching assistance utility, or a vulnerability reporting utility. Depending on that decision, the latter decision is a feature, or a design flaw.

I guess it is surely not a panacea.
Was this reply relevant?
+0
-0
Anthony Wells RE: Adobe CS3 Flash plugin vuln dissapeared
Expert Contributor 30th Oct, 2009 13:55
Score: 2437
Posts: 3,332
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Personally , I prefer the "old" rules where all versions of an insecure programme , plug-in or whatever were identified .

The questions of false security , false positives or false alarms become ambiguous and misleading .

It depends on location ; even I know the security difference implied by a browser plug-in when connected to the net and when not (that is why I browse in a sandbox) ; but just how secure/insecure is it when not connected??

Is it completely secure when it is in a "back up" file or in an "obscure" file ??.

PSI not showing an insecure file in a "totally" secure location (should that ever be the case) is fine by me ; otherwise I would prefer to know about it and what Secunia or anyone else ( such as Community memmbers ) thinks about how "dangerous" it is and what I can/should do about it.

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability