Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11834
HistoryMar 17, 2006 - 12:00 a.m.

Microsoft Security Advisory (916208) Adobe Security Bulletin: APSB06-03 Flash Player Update to Address Security Vulnerabilities

2006-03-1700:00:00
vulners.com
32

Microsoft Security Advisory (916208)
Adobe Security Bulletin: APSB06-03 Flash Player Update to Address Security Vulnerabilities
Published: March 14, 2006

Microsoft is aware of recent security vulnerabilities in Macromedia Flash Player from Adobe, a third party software application that also was redistributed with Microsoft Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98, Windows 98 SE, and Windows Millennium Edition. The Microsoft Security Response Center is in communication with Adobe and is aware that Adobe has made updates that are available on their Web site.

Microsoft encourages customers who use Flash Player to follow the guidance documented in Adobe’s Security Bulletin. The Adobe Security Bulletin describes the vulnerabilities and provides the download locations so that you can install the appropriate update based on the version of Flash Player you are using.

If customers are not using Flash Player on their system, or customers do not need Flash Player, they can disable the ActiveX control in Internet Explorer to help protect against these vulnerabilities. See the “Workarounds” section in this advisory for ways to implement this change.
General Information

Overview

Purpose of Advisory: To make customers aware of a security bulletin and updates that are available from Adobe for Flash Player.

Advisory Status: Advisory published. Adobe has released a security bulletin and updates are available on their Web site.

Recommendation: Review the Adobe Security Bulletin. Review the suggested actions in this Microsoft security advisory. Make appropriate configuration changes to Internet Explorer.
References Identification

Microsoft Knowledge Base Article

916208

This advisory discusses the following software.
Related Software

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1

Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Top of sectionTop of section

Frequently Asked Questions

What is the scope of the advisory?
This advisory explains which versions of Windows have redistributed the Macromedia Flash Player from Adobe, encourages customers to review Adobe’s Security Bulletin, and suggests additional workarounds that customers can take.

Is Flash Player a Microsoft technology?
No. This software is made by Adobe Systems Inc., formerly Macromedia, Inc.

Is Flash Player redistributed by Microsoft?
Yes. Some versions of Flash Player have been redistributed by Microsoft. The supported versions of Windows that redistribute Flash Player are Windows XP Service Pack 1, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Windows 98, Windows 98 Second Edition and Windows Millennium Edition. No other supported versions of Windows redistribute Flash Player. Other software applications from Microsoft may also redistribute the Flash Player.

Which versions of the Flash Player are redistributed with Windows?
Microsoft Windows version Flash Player Filenames and Versions

Microsoft Windows XP Service Pack 1

Swflash.ocx 5.0.44

Microsoft Windows XP Service Pack 2

Flash.ocx 6.0.79

Microsoft Windows XP Professional x64 Edition

Flash.ocx 6.0.79

Microsoft Windows 98 and Microsoft Windows 98 Second Edition (SE)

Swflash.ocx 5.0.44

Microsoft Windows Millennium Edition (ME)

Swflash.ocx 4.0.28

I use a version of Windows that is not listed in this table. Might I still have the Flash Player installed on my system?
Yes. Flash Player is available for download from Adobe Systems, Inc. (formerly Macromedia, Inc). Flash Player also may have been installed or required by another software application. You can determine whether you have Flash Player installed and if so what version by visiting the following Adobe Web site. If you have a version of Flash Player earlier than 7.0.63.0 or 8.0.24.0 you have a version that may be affected by the reported vulnerabilities.

The Adobe Security Bulletin describes the vulnerabilities and provides the download locations so that you can install version 7.0.63.0 or 8.0.24.0 of Flash Player.

Note If you do not have Flash Player installed, the Adobe Web site will prompt you to install the latest version of Flash Player.

I have a Flash Player version earlier than version 7 on my system. What can I do?
Microsoft encourages customers who use Flash Player to follow the guidance documented in Adobe’s Security Bulletin. The Adobe Security Bulletin describes the vulnerabilities and provides the download locations so that you can install the appropriate update based on the version of Flash Player you are using.

If you are unable to follow Adobe’s guidance or cannot move to a more recent version of Flash Player, you can disable the ActiveX control in Internet Explorer to help protect against these vulnerabilities. See the “Workarounds” section in this advisory for ways to implement this change. Customers can also contact the Adobe Security Team at [email protected] for guidance around this update.

I am using Windows Server 2003. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or of an administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying many security-related settings. This includes the settings on the Security tab and the Advanced tab in the Internet Options dialog box. Some of the important modifications include the following:
•

Security level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), and file downloads.
•

Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
•

Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
•

Multimedia content is disabled. This setting prevents music, animations, and video clips from running.

Can I use SMS to determine if Flash Player is installed on a system?
Yes. SMS can help detect if Flash Player is installed on a system. SMS can search for the existence of the files swflash.ocx and flash.ocx. Versions of swflash.ocx and flash.ocx that are earlier than version 8.0.24.0 may be vulnerable.
Top of sectionTop of section

Suggested Actions
•

Review the Adobe Security Bulletin

Review the Adobe Security Bulletin and follow Adobe’s guidance as appropriate.
•

Protect Your PC

We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
•

Keep Your System Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure that you install them.

Workarounds

Microsoft encourages customers who use Flash Player to follow the guidance documented in Adobe’s Security Bulletin. The Adobe Security Bulletin describes the vulnerabilities and provides the download locations so that you can install the appropriate update based on the version of Flash Player you are using.

If you are unable to follow Adobe’s guidance or need additional time before updating your system, then you can use one of the following workarounds that help block known attack vectors.

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1

You can help protect against this vulnerability by temporarily preventing the Flash Player ActiveX control from running in Internet Explorer. On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 use the Internet Explorer Manage Add-ons feature to disable the ActiveX control.

Start Internet Explorer.

On the Tools menu, click Manage Add-ons.

Locate and click on “Shockwave Flash Object”.

To disable the add-on, click Disable, and then click OK.

Note If you cannot locate the ActiveX control then use the drop-down box to switch from “Add-ons currently being used in Internet Explorer” to “Add-ons that have been used by Internet Explorer” and follow steps 3 and 4. If the ActiveX control is not present in this list you either have not used the ActiveX control before or it is not present on your system. See the workaround “Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer” for additional information.

For more information on the Internet Explorer Manage Add-ons feature in Windows XP Service Pack 2, see Microsoft Knowledge Base Article 883256.

Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to use the Internet Explorer Manage Add-ons feature to enable the ActiveX control.
Top of sectionTop of section

Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer

Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

We recommend that you back up the registry before you edit it.

Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Macromedia Flash Player ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

Close Internet Explorer, and reopen it for the changes to take effect.

For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Flash Player ActiveX control from running in Internet Explorer.

Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to undo the kill bits for the Flash Player ActiveX control remove the registry keys added to temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer.
Top of sectionTop of section

Modify the Access Control List on the Flash Player ActiveX control so that it is more restrictive

To modify the Access Control List (ACL) on the Flash Player ActiveX control to be more restrictive, follow these steps:

Click Start, click Run, type "cmd" (without the quotation marks), and then click OK.

Type the following commands at a command prompt. Make a note of the current files ACL’s, including inheritance settings. You may need this list if you have to undo these modifications:

cacls %windir%\system32\Macromed\Flash\flash.ocx
cacls %windir%\system32\Macromed\Flash\swflash.ocx

Type the following command at a command prompt to deny the ‘everyone’ group access to this file:

echo y|cacls %windir%\system32\Macromed\Flash\flash.ocx /d everyone
echo y|cacls %windir%\system32\Macromed\Flash\swflash.ocx /d everyone

Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to undo the modifications to the Access Control List on the ActiveX control you have on your system.
Top of sectionTop of section

Unregister the Flash Player ActiveX Control

To unregister the Flash Player ActiveX control, follow these steps:

Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.

A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.

Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.

A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.

Close Internet Explorer, and reopen it for the changes to take effect.

Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To reregister the Flash Player ActiveX control, follow these steps:

Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.

A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.

Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.

A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.

Close Internet Explorer, and reopen it for the changes to take effect.
Top of sectionTop of section

Restrict access to the Macromedia Flash folder by using a Software Restriction Policy

To restrict access to the Macromedia Flash folder (%windir%\system32\Macromed\Flash\) on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Flash Player ActiveX control.

For more information about Group Policy, visit the following Microsoft Web sites:
•

Step-by-Step Guide to Understanding the Group Policy Feature Set
•

Windows 2000 Group Policy
•

Group Policy in Windows Server 2003

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

We recommend that you back up the registry before you edit it.

Use the following text to create a .reg file to restrict access to the Macromedia Flash folder. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{2742f840-c2d8-4eb3-a486-0a9d0879f29f}]
"LastModified"=hex(b):10,c3,8a,19,c6,e3,c5,01
"Description"="Block Macromedia Flash"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,63,00,72,00,6f,\
00,6d,00,65,00,64,00,5c,00,66,00,6c,00,61,00,73,00,68,00,5c,00,2a,00,00,00
Top of sectionTop of section

Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

In Internet Explorer, click Internet Options on the Tools menu.

Click the Security tab.

Click Internet, and then click Custom Level.

Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

Click Local intranet, and then click Custom Level.

Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

Click OK two times to return to Internet Explorer.

Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

Restrict Web sites to only your trusted Web sites.

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

Repeat these steps for each site that you want to add to the zone.

Click OK two times to accept the changes and return to Internet Explorer.

Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.
Top of sectionTop of section

Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

On the Internet Explorer Tools menu, click Internet Options.

In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

Restrict Web sites to only your trusted Web sites.

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

Repeat these steps for each site that you want to add to the zone.

Click OK two times to accept the changes and return to Internet Explorer.

Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is "*.windowsupdate.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.
Top of sectionTop of section

Remove the Macromedia Flash Player from Adobe from your system

If you want to remove the Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.

To regain functionality you need install the Flash Player ActiveX control from the Adobe Web site
Top of sectionTop of section
Top of sectionTop of section
Top of sectionTop of section
Top of sectionTop of section

Resources:
•

You can provide feedback by completing the form by visiting the following Web site.
•

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
•

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
•

The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:
•

March 14, 2006: Advisory published