Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Still getting a vulnerability report with CS3 Flash

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Flash CS3 9.x

This thread has been marked as locked.
Hollico Still getting a vulnerability report with CS3 Flash
Member 2nd Jul, 2010 16:42
Ranking: 0
Posts: 16
User Since: 22nd Jul, 2009
System Score: N/A
Location: N/A
Two weeks ago I posted about this problem.

When I tried the solution (rename the downloaded file to FlashPlayer.exe and replace the file in the Adobe Flash CS3/Players folder) it did not resolve the problem when I rescanned it.

I note from another thread that the solution solved the problem. Any ideas?

taffy078 RE: Still getting a vulnerability report with CS3 Flash
Contributor 2nd Jul, 2010 18:34
Score: 408
Posts: 1,335
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi Hollico.

Maurice Joyce, a regular expert here posted the following solution for Adobe Flash recently - it worked for me. You may wish to try it and then get back if you still need help. Regards.

*************

ADOBE FLASH
NB: No need to uninstall the old file. The Installation will do this.
UPDATING ADOBE FLASH
====================
Works with Windows XP,Vista & Windows 7 - 32 & 64 Bit systems.

To successfully install Adobe Flash go here:
http://www.filehippo.com/download_flashplayer_ie/

& then here if U have any Gecko based browsers.

http://www.filehippo.com/download_flashplayer_fire...

The latest RC version is:10.1.53.64 RC7 - This version is very stable monitored by Secunia & currently the only one that appears secure

1. Select the Flash version U require & download it.
2. The installer will appear on the desk top. Before agreeing to install close:
a. All Browsers.
b. PSI
c. Windows Messenger.
3. The new install will then remove all old files during the update process.
4. Complete a PSI rescan.

POSSIBLE PROBLEMS:

If U failed to complete 2. above U may well find PSI still shows a vulnerability on the rescan.

SOLUTION:

1. Double check your browser(s),PSI & Messenger are closed.
2. Navigate to:
32 Bit Systems - C:\Windows\system32\Macromedia\Flash
64 Bit Systems - C:\Windows\sysWOW64\Macromedia\Flash

In these locations U may well find these entries:
FLASH10D or E.OCX - Right click & delete it.
FLASH10H.OCX - The latest version which should be retained.


--
Maurice 11th Jun, 2010 12:10

http://secunia.com/community/forum/thread/show/444...


--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-2
Hollico RE: Still getting a vulnerability report with CS3 Flash
Member 2nd Jul, 2010 20:11
Score: 0
Posts: 16
User Since: 22nd Jul 2009
System Score: N/A
Location: N/A
Thanks! I'll let you know how I make out.
Was this reply relevant?
+0
-0
Craig_Stutzman RE: Still getting a vulnerability report with CS3 Flash
Member 3rd Jul, 2010 17:30
Score: 0
Posts: 3
User Since: 3rd Jul 2010
System Score: N/A
Location: US
I just reinstalled CS3 on my new Windows-7 computer (deregistered the app from the old computer, and reinstalled/updated/re-registered on the new system), and I am experiencing the same thing (Secunia reporting an Adobe Flash CS3 security error).

I wouldn't call myself an expert on this issue, but I think this is an error on Secunia's part. Here's why.

The downloaded solution is a Flash player. However the flash.exe program in the CS3 directory is the CS3 Flash Creator application. If you did what you said you did (overwrote/replaced the flash.exe in your CS3 directory), then you erased your CS3 Flash Creator application.

My take is that the problem is poor application naming convention on Adobe's part (to name the Creator application the same exact name as the Player application is NOT good), so the source of the issue isn't Secunia. However, Secunia needs to deal with this Adobe Flash confusion before providing a "solution" that erases a valuable application. Perhaps Secunia needs to examine the directory that flash.exe resides in (in our case, "Adobe Flash CS3") or perhaps Secunia needs to be aware of the differences between Creator and Player version numbers -- that's for Secunia's tech staff to figure out.

Hopefully, the Secunia staff will see this and will fix how their application deals with the two (actually, many) renditions of flash.exe.

-Craig
Was this reply relevant?
+0
-0
Hollico RE: Still getting a vulnerability report with CS3 Flash
Member 3rd Jul, 2010 19:32
Score: 0
Posts: 16
User Since: 22nd Jul 2009
System Score: N/A
Location: N/A
Hey, Craig -

As a long-time Adobe suite user ('cause there aren't any real alternatives) I'm very familiar with Adobe's arrogant behaviour, especially where support of their aps is concerned.

This is the weirdest Adobe patch I've encountered - the previous one was bad enough - and in my opinion Adobe is trying to force their customers to upgrade to CS5 by putting as many hurdles as possible in their path if they want to continue to use CS3.

A security vulnerability isn't the customer's fault. Adobe should get their act together. I can't fault Secunia in any way for this.
Was this reply relevant?
+0
-0
Craig_Stutzman RE: Still getting a vulnerability report with CS3 Flash
Member 4th Jul, 2010 00:47
Score: 0
Posts: 3
User Since: 3rd Jul 2010
System Score: N/A
Location: US
I agree that the root of the problem lies with Adobe. However, Secunia definitely has a part here. Apparently, Adobe's convention about whether "flash.exe" is Flash Player or a CSx-Flash Creator application depends on the directory that flash.exe resides in. So it seems to me that Secunia's PSI/CSI application (in my case, PSI) isn't aware that Adobe has two different applications with the same name. So I believe that PSI is improperly labeling our CSx-version of flash.exe as a security problem because it thinks it is an old version of Flash player. It is, after all, Secunia's application that flags the security issue and provides the link to the vendor's solution. I presume that PSI's relationship between security-issues and their solutions are kept in Secunia's rules database - so perhaps all Secunia needs to do is update their database.

Actually, I have no idea whether our CSx flash.exe has security issues. All I know is that I've installed all the Adobe updates for CS3 -- and I'm pretty sure that Secunia is mis-identifying the Flash Creator application with the Flash reader.
Was this reply relevant?
+0
-0
ddmarshall RE: Still getting a vulnerability report with CS3 Flash
Dedicated Contributor 4th Jul, 2010 01:23
Score: 1208
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I don't know if you have seen this thread:

http://secunia.com/community/forum/thread/show/440...

which has a post from a Secunia Official setting out how the PSI is detecting this vulnerability. I don't know why this method is necessary; maybe to do with Adobe using the same names for different things.

However it is clear that flash.exe should not be overwritten. The file to be replaced is FlashPlayer.exe.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0
Hollico RE: Still getting a vulnerability report with CS3 Flash
Member 4th Jul, 2010 02:47
Score: 0
Posts: 16
User Since: 22nd Jul 2009
System Score: N/A
Location: N/A
Thanks for the suggestion, however, that's exactly where I started out. It didn't work - or at least Secunia is still detecting a problem.

My point about Adobe is that the solution is their patch and there aren't even any instructions to go with it. At least with their previous somewhat mysterious patches they tried to tell you how to apply it, if somewhat vaguely. With this one there is only the file and not a word about how to apply it.
Was this reply relevant?
+0
-0
Craig_Stutzman RE: Still getting a vulnerability report with CS3 Flash
Member 4th Jul, 2010 02:50
Score: 0
Posts: 3
User Since: 3rd Jul 2010
System Score: N/A
Location: US
Thanks for this! So, CS4 users are experiencing the same issue....

E.Petersen's responses seem to reassure folks that Secunia's solution works. While that is good, there is no good or plausible reason why PSI can't flag the bad file (FlashPlayer.exe) instead of the good file (flash.exe) that identifies the installed CS3/CS4 application.

Secunia could easily clear up the whole confusion over this update, and it would save everyone time and expense (including Secunia). I understand that they don't want to counter-mand Adobe's solution - but they really wouldn't be. Secunia would only be directing their users to the application that needs fixing. Everyone who installs Adobe CSx knows they have/need a Flash Player, so no one is going to say, "I didn't install FlashPlayer."

Having PSI/CSI identify FlashPlayer.exe as the problem (and NOT flash.exe) is indeed the best solution for everyone.
Was this reply relevant?
+0
-0
ddmarshall RE: Still getting a vulnerability report with CS3 Flash
Dedicated Contributor 4th Jul, 2010 11:33
Score: 1208
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I don't know how Secunia manage to provide as much information about this as they do. All I could find on the Adobe website was this:

http://www.adobe.com/support/flashplayer/downloads...

It seems there can be as many as four players to update and the amount of information gets less the older version you have.

This is pathetic from Adobe.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0
Anthony Wells RE: Still getting a vulnerability report with CS3 Flash
Expert Contributor 4th Jul, 2010 16:10
Score: 2437
Posts: 3,327
User Since: 19th Dec 2007
System Score: N/A
Location: N/A


When the PSI displays a problem , the "installation path" usually identifies the "location" of the main .exe or .dll in a folder ; it does not always mean that the file in the "installation" path is the one at fault - it can be another file where the version info is located . This is common with Adobe products and the PSI detection rules often need amending as programmas change/update ; Emil Petersen is clear about the currently used detection rules for CS and embedded Flash , if you read to the end of the linked thread ddmarshall has posted above .

The PSI tells you there is a "vulnerability" and "suggests" a/possible solution(s) ; Secunia is aware of the difficulties with Adobe and tries to add as much detail as possible , but it is up to you and Adobe to make the instructions/things work . I'm not sure what else Secunia can do , aside this Forum , especially as the "weird" instructions are meant/seem to work .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability