Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: CS4 is insecure but no updates available?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Flash CS4 10.x

This thread has been marked as locked.
tsimmons CS4 is insecure but no updates available?
Member 4th Jun, 2010 16:36
Ranking: 0
Posts: 2
User Since: 3rd Jun, 2010
System Score: N/A
Location: US
I am running PSI 1.5.0.2 on XP Professional sp3 fully patched.

I received a notice yesterday from PSI that my Adobe Flash CS4 was insecure.

I launched Flash and checked for updates (there were none) so I downloaded the solution via the link in PSI. This was a zip file with a folder called "Players" ... I looked in the install directory for Adobe Flash and there is a "Players" folder in there (that contained an older version of the flash player.)

I replaced the folder in the install directory with the folder I downloaded through PSI then did another full system scan but it still shows as insecure.

What else needs to be done?

Thanks &
Cheers,

Toby

Anthony Wells RE: CS4 is insecure but no updates available?
Expert Contributor 4th Jun, 2010 17:26
Score: 2437
Posts: 3,324
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello Toby ,

When this occurred in CS3 , then updating with an "up to date" .dll has worked for some -their system , their machine : here is an example :-

http://secunia.com/community/forum/thread/show/156...

With the money involved , you really should take it up/further with Adobe ; Secunia consider the responsibility for any embedded programme update is with them as per Morten Hansen's second post here :-

http://secunia.com/community/forum/thread/show/434...

Hope this helps .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0

pacet911

RE: CS4 is insecure but no updates available?
[+]
This reply has been minimised due to a negative Relevancy Score.
Anthony Wells RE: CS4 is insecure but no updates available?
Expert Contributor 5th Jun, 2010 18:56
Score: 2437
Posts: 3,324
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Jun, 2010 18:57
@pacet911 ,

PSI detects any/allthe files it can find , it reports them and "offers" a known solution .

You decide if the file location makes that file a potential security risk and whether or not to "try" the "solution".

If you think Secunia should change thier detection rules in some way , so that the "embedded" files do not display , then you will need to discuss it with them direct . It may not be simple as a .dll is just a .dll .

It is still down to you and Adobe to decide if their is a risk and if so to find a solution ; if PSI can "see" the file what about the bad guys , can they expose it ??

Secunia will be back on PSI on Monday and may pick up this thread or you could email them at support@secunia.com

Tale care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
gingem RE: CS4 is insecure but no updates available?
Member 8th Jun, 2010 19:46
Score: 0
Posts: 8
User Since: 3rd Jan 2008
System Score: N/A
Location: N/A
I am also receiving the same error. The repair provided is for the flash player and not the flash program. I ran the Adobe update for all programs and it says everything in he suite is up to date. Still receiving the error.
Was this reply relevant?
+0
-0
dmarquess RE: CS4 is insecure but no updates available?
Member 9th Jun, 2010 17:19
Score: 0
Posts: 1
User Since: 9th Jun 2010
System Score: N/A
Location: US
I'm having the same annoying problem on two different laptops. Obviously the 'solution' doesn't work, as not only does that download the Player (which doesn't even match the executable PSI complains about), but it's the same version of the Player that's already in the Flash CS4 install.
Was this reply relevant?
+0
-0
Hokulea RE: CS4 is insecure but no updates available?
Member 12th Jun, 2010 08:07
Score: 2
Posts: 2
User Since: 12th Jun 2010
System Score: N/A
Location: US
The Flash.exe file that is flagged by Secunia PSI is the executable for the Flash application. The Download Solution offered is incorrect.

Updates are available for the FlashPlayer.exe files and for the ActiveX control and Netscape/Firefox Plugin in the following locations:

Windows 32 bit:
C:\Program Files\Adobe\Adobe Flash CS4\

Windows x64:
C:\Program Files (x86)\Adobe\Adobe Flash CS4\

There are a total of 7 files affected:

\Adobe Flash CS4\Players\FlashPlayer.exe

\Adobe Flash CS4\Players\Debug\FlashPlayer.exe
\Adobe Flash CS4\Players\Debug\Install Flash Player 10 Plugin.exe
\Adobe Flash CS4\Players\Debug\Install Flash Player 10 ActiveX.exe

\Adobe Flash CS4\Players\Release\FlashPlayer.exe
\Adobe Flash CS4\Players\Release\Install Flash Player 10 Plugin.exe
\Adobe Flash CS4\Players\Release\Install Flash Player 10 ActiveX.exe

Updated files are available from the Adobe Flash Player Support Center at the following URL:

http://www.adobe.com/support/flashplayer/downloads...

This isn't a straightforward update. You must rename the files downloaded from Adobe and over-write the existing files in the folders listed above. I recommend backing up the existing files or even the complete < Players > folder located at C:\Program Files\Adobe\Adobe Flash CS4\Players (or C:\Program Files (x86)\Adobe\Adobe Flash CS4\Players) before proceeding. Creating a System Restore point would be a good idea as well.

While Flash CS4 Pro seems to still work after renaming and replacing files as outlined below, I cannot guarantee that my solution is correct. Proceed at your own risk.


The only reference Adobe provides is "Note: Flash CS4 users must rename and save flashplayer_10_sa_debug.exe and flashplayer_10_sa_debug.app.zip to Players/Debug/FlashPlayer.exe and Players/Debug/Flash Player.app in order to debug ActionScript 3.0 projects."

The files available for Flash CS4 on Windows are as follows:

Download the Windows Flash Player 10.1 ActiveX control content debugger (for IE) (EXE, 2.72 MB)
< File name: flashplayer_10_ax_debug.exe >

Download the Windows Flash Player 10.1 Plugin content debugger (for Netscape-compatible browsers) (EXE, 2.69 MB)
< File name: flashplayer_10_plugin_debug.exe >

Download the Windows Flash Player 10.1 Projector content debugger (EXE, 5.18 90 MB)
< File name: flashplayer_10_sa_debug.exe >

Download the Windows Flash Player 10.1 Projector (EXE, 4.96 MB)
< File name: flashplayer_10_sa.exe >


I renamed < flashplayer_10_sa.exe > to FlashPlayer.exe and copied it to the following locations, overwriting the existing files:

\Adobe Flash CS4\Players\FlashPlayer.exe
\Adobe Flash CS4\Players\Release\FlashPlayer.exe


I renamed < flashplayer_10_sa_debug.exe > to FlashPlayer.exe and copied it to the following location, overwriting the existing file:

\Adobe Flash CS4\Players\Debug\FlashPlayer.exe


I renamed < flashplayer_10_ax_debug.exe > to Install Flash Player 10 ActiveX.exe and copied it to the following locations, overwriting the existing files:

\Adobe Flash CS4\Players\Debug\Install Flash Player 10 ActiveX.exe
\Adobe Flash CS4\Players\Release\Install Flash Player 10 ActiveX.exe


I renamed < flashplayer_10_plugin_debug.exe > to Install Flash Player 10 Plugin.exe and copied it to the following locations, overwriting the existing files:

\Adobe Flash CS4\Players\Debug\Install Flash Player 10 Plugin.exe
\Adobe Flash CS4\Players\Release\Install Flash Player 10 Plugin.exe


Once again, proceed at your own risk and backup the existing files prior to overwriting them.

Alternatively, you could just wait for the APSB10-14 update to appear at the following URL:

http://kb2.adobe.com/cps/659/b62ce659.html




Was this reply relevant?
+1
-0
gingem RE: CS4 is insecure but no updates available?
Member 18th Jun, 2010 17:36
Score: 0
Posts: 8
User Since: 3rd Jan 2008
System Score: N/A
Location: N/A
Your solution won't work because the file being listed as insecure is not Flash Player, It is the Flash program file. They are just reporting the wrong file!
Was this reply relevant?
+0
-0
Hokulea RE: CS4 is insecure but no updates available?
Member 18th Jun, 2010 19:32
Score: 2
Posts: 2
User Since: 12th Jun 2010
System Score: N/A
Location: US
Last edited on 18th Jun, 2010 19:35
Within the Adobe Flash CS4 application are three instances of Flash Player as well as two instances of both the Flash Player Active X control and the Fx/Netscape Plugin.


Win 32 - C:\Program Files\Adobe\Adobe Flash CS4\Players

Win 64 - C:\Program Files (x86)\Adobe\Adobe Flash CS4\Players


The insecure versions of Flash Player are in the Players folder and in the Players\Debug and Players\Release sub-folders. There are three instances of FlashPlayer.exe. If you launch any of those executables a instance of Flash Player will run.

\Adobe Flash CS4\Players\FlashPlayer.exe

\Adobe Flash CS4\Players\Debug\FlashPlayer.exe
\Adobe Flash CS4\Players\Debug\Install Flash Player 10 Plugin.exe
\Adobe Flash CS4\Players\Debug\Install Flash Player 10 ActiveX.exe

\Adobe Flash CS4\Players\Release\FlashPlayer.exe
\Adobe Flash CS4\Players\Release\Install Flash Player 10 Plugin.exe
\Adobe Flash CS4\Players\Release\Install Flash Player 10 ActiveX.exe

Right click on FlashPlayer.exe within the Players folder, select properties, then the details tab to show the version in use.
Was this reply relevant?
+1
-0
Togusa RE: CS4 is insecure but no updates available?
Member 20th Jun, 2010 03:18
Score: 0
Posts: 1
User Since: 9th Feb 2008
System Score: N/A
Location: US
Hokulea,

I'm currently running Secunia PSI and Flash CS4 Professional on Windows 7 Home Premium 64-bit. After scanning my system with Secunia, it flagged the following file as insecure:

C:\Program Files (x86)\Adobe Flash CS4\Flash\Flash.exe

I read this thread, then went here:

http://kb2.adobe.com/cps/659/b62ce659.html

and followed the instructions listed under "Adobe Flash Player 10 Security Release Update for Flash CS4 Professional", then rescanned the system with Secunia PSI.

Even though the Flash Players inside the Flash CS4 directory are now up to date according to Adobe, Secunia still flags the Flash.exe file as insecure. This means that somehow Flash.exe, not the Flash Players, are suspect.

(BTW, I had just finished a marathon cleaning/update session on this Win 7 HP 64 PC, and Flash.exe is currently the ONLY file on the entire system that Secunia has flagged as insecure.)
Was this reply relevant?
+0
-0
This user no longer exists RE: CS4 is insecure but no updates available?
Member 21st Jun, 2010 09:25
Hi,

If you rescan with your PSI's, and expand the entry for CS4, you should see some more detailed update instructions. We've provided these from the Adobe Website, as we realize this update can be especially difficult to deal with.

hope this helps.
Was this reply relevant?
+0
-0
gingem RE: CS4 is insecure but no updates available?
Member 21st Jun, 2010 13:51
Score: 0
Posts: 8
User Since: 3rd Jan 2008
System Score: N/A
Location: N/A
I do not understand why support can't solve this problem. The problem has nothing to do with the Adobe updates. The problem is that the file being listed as insecure is the Adobe Flash.exe and that is not the file that is being updated at all. It is the flash player and the direct X files that are being updated. Yes they exist in multiple locations but the file Flash.exe is already at the latest version!
Was this reply relevant?
+0
-0
This user no longer exists RE: CS4 is insecure but no updates available?
Member 21st Jun, 2010 15:09
Hi,

The instructions now show in the PSI, and the one we've directed users to, is the only outlined in the Adobe patch notes. In Secunia, we only link to the vendor's solutions, and provide their tips. I agree this is a very inconvenient way to update, but it is the official, recommended way.

hope this helps.
Was this reply relevant?
+0
-0
gingem RE: CS4 is insecure but no updates available?
Member 21st Jun, 2010 16:15
Score: 0
Posts: 8
User Since: 3rd Jan 2008
System Score: N/A
Location: N/A
I still don't understand! The downloaded file is called FlashPlayer.exe, the file that is being called as insecure is FLASH.exe! The directions DO NOT SOLVE THE PROBLEM!
Was this reply relevant?
+0
-0
LanceHudson RE: CS4 is insecure but no updates available?
Member 21st Jun, 2010 16:51
Score: 0
Posts: 2
User Since: 18th Mar 2010
System Score: N/A
Location: N/A
Hi, Wanted to let you all know I followed the directions and it did fix the problem. Even though PSI is flagging flash.exe, replacing flashplayers.exe and rescanning fixed it. So I would suggest trying it once and letting us know if it does/doesnt fix it.
Was this reply relevant?
+1
-0
This user no longer exists RE: CS4 is insecure but no updates available?
Member 22nd Jun, 2010 08:48
on 21st Jun, 2010 16:15, gingem wrote:
I still don't understand! The downloaded file is called FlashPlayer.exe, the file that is being called as insecure is FLASH.exe! The directions DO NOT SOLVE THE PROBLEM!


Hi,

As our instructions specify, you have to rename the file (Per adobe's own instructions). I realize this may seem strange to you, but it really is the solution. The PSI detects one file, and extract version information from another. The one called "Flash.exe" is for detection, "FlashPlayer.exe" for version info.

If you follow the below instructions (also seen in the PSI) and rescan, you should be shown as up to date.

Please Rename the downloaded file to FlashPlayer.exe
Replace the old FlashPlayer.exe located in the "Players" folder in the Flash CS3 folder.
Rescan with the PSI and you should now be flagged as "patched"
Was this reply relevant?
+0
-0
gingem RE: CS4 is insecure but no updates available?
Member 22nd Jun, 2010 14:19
Score: 0
Posts: 8
User Since: 3rd Jan 2008
System Score: N/A
Location: N/A
Tried it the first time and it didn't work. I tried it again and now it's fine. Thank you, sorry for the confusion.
Was this reply relevant?
+0
-0
eileendtp RE: CS4 is insecure but no updates available?
Member 26th Jun, 2010 17:28
Score: 0
Posts: 1
User Since: 2nd May 2010
System Score: N/A
Location: N/A
I am having the same problem. I never had Flash CS2, and I updated directly from CS2 to CS4, so I don't have a folder labeled CS3. What do I do now? I cannot get the error to go away, despite renaming things anywhere I could find them on my machine.
Was this reply relevant?
+0
-0
gingem RE: CS4 is insecure but no updates available?
Member 26th Jun, 2010 19:32
Score: 0
Posts: 8
User Since: 3rd Jan 2008
System Score: N/A
Location: N/A
The problem is in the CS4 folder for you. Use the open folder command and it will open to the folder where the error is.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability