Microsoft warns of hole in old version of Flash Player
In addition to yesterday's security update, Microsoft has pointed out a critical hole in the ActiveX control of Flash Player 6.x, which is a standard component of Windows XP. The hole apparently allows attackers to infect PCs with malware via specially crafted web pages. Microsoft has not released a functioning update and advises users to uninstall the old player and replace it with Adobe's current version (10.0.42.34).
Adobe offers a downloadable tool that's designed to help users uninstall the relevant plug-ins and ActiveX control. However, it's generally sufficient to install the current version – as doing so simply overwrites the faulty control.
The H Update Check proves those who think that version 6 is no longer to be found on any computer to be wrong. In about 140,000 tests carried out over the first 30 days since the release of The H Update Check, 16,000 copies of the vulnerable (Macromedia) Flash Player 6 were detected. Microsoft has not incorporated Flash Player by default in any Windows versions other than Windows XP.
Security firm Secunia has released an advisory concerning Microsoft's security bulletin that sheds some light particularly on the time line of the vendor's response to the hole. According to the advisory, Secunia already informed Microsoft about the hole on the 18th of October, 2007. Although Microsoft tried to solve the problem with update MS06-069, Secunia said the update didn't close the hole. After that, an exchange of information over a period of about two years ensued between Secunia, Microsoft and Adobe – however without producing any tangible results, apart from the current recommendation to uninstall the player. Adobe already discontinued support of version 6 in 2006. Microsoft probably hoped that users would proactively install a more current version.
According to Secunia, the old ActiveX control contains additional critical holes that have long been fixed in more recent versions.
- Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution, security advisory from Microsoft.
- Microsoft Windows Flash Player Movie Unloading Vulnerability, security advisory from Secunia.
- Windows XP Macromedia Flash 6 ActiveX control memory corruption vulnerability, security advisory from US-CERT.
- The H Update Check