Forum Thread: Security Update for Flash 11.5.502.110 Released Yesterday, But

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Adobe Systems
And, this specific program:
Adobe Flash Player 11.x

This thread has been marked as locked.
joe schmoe Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 7th Nov, 2012 10:53
Ranking: 41
Posts: 144
User Since: 26th Nov, 2008
System Score: N/A
Location: US
Sorry, but PSI 3.0.0.3 still shows as vulnerable.

Any idea why this is?

Version in question is 11.5.502.110(NPAPI). BTW, never run flash in IE8 anyway, due to this issue.

--
XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 2.0.0.3003 XP Pro 32-bit & Win 7 H Pro 64-bit

dickvisser RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 7th Nov, 2012 18:37
Score: 2
Posts: 15
User Since: 14th Mar 2012
System Score: N/A
Location: NL
Last edited on 7th Nov, 2012 22:57
On my win7 box psi3 does see 11.4.x is vulnerable, but updating to 11.5 (both activeX as well as npapi) gets stuck at a yellow "Updating".
Rebooting etc does not help...
Was this reply relevant?
+0
-0
This user no longer exists RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Secunia Official 9th Nov, 2012 09:10
Some recent changes in our version rules for Adobe Flash Player should have fixed the latest issues. However, if all else should fail you might want to try this update procedure.

1. Uninstall Adobe Flash Player in Ad/Remove Programs.
2. Scan with the PSI to make sure Adobe Flash Player has been completely uninstalled.
3. Reinstall Adobe Flash Player at www.adobe.com.

You should then have the latest version of Adobe Flash Player, and only that version.
klausus02 RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 9th Nov, 2012 10:12
Score: 89
Posts: 144
User Since: 4th Feb 2011
System Score: N/A
Location: DE
... BUT: This doesn't help to clear Secunia Advisory SA47161 in Secure Browsing in PSI 2 !

Is this advisory still valid? The advisory is very old.

Thanks
Klaus
Was this reply relevant?
+0
-0
This user no longer exists RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Secunia Official 9th Nov, 2012 10:22
@klausus02
Unfortunately yes, Adobe has still not patched the vulnerability described in advisory SA47161.
http://secunia.com/advisories/47161
klausus02 RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 9th Nov, 2012 10:29
Score: 89
Posts: 144
User Since: 4th Feb 2011
System Score: N/A
Location: DE
@E.Jeppesen
It's a pitty that adobe seems not to have any interest in that point.
Thanks
Was this reply relevant?
+1
-0
mushie RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 9th Nov, 2012 19:45
Score: 0
Posts: 1
User Since: 2nd Nov 2009
System Score: N/A
Location: N/A
I have been following this thread with some interest. Thank you all for sharing here.

If someone is going to put out (any product or service) they need to back that up with adjustments or fixes so the end user or customer is satisfied or happy, and not let problems or issues slide.

Adobe seems to be missing the boat here and may wel be taking on water; if such issues are not fixed, it may be in danger of sinking completely. That is why even though Flash may work in IE9, I refuse to run it in this browser;

IE is an integral part of the MS operating since Win95 I believe, and any exploit or corruption of this browser can well run very deep into the operating system.
Was this reply relevant?
+0
-0
klausus02 RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 10th Nov, 2012 09:51
Score: 89
Posts: 144
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 10th Nov, 2012 09:53
@mushie

Yesterday I send a request to Adobe to get an idea about their plans in fixing die plugin.

Here is the original conversation using their special form::

------

Hello Klaus,

Thank you for contacting Adobe PSIRT. Adobe is aware of CVE-2011-4693 and CVE-2011-4694, and has reached out to the researcher. We would welcome any details so we can verify and address the vulnerabilities, but until we have additional information, there is nothing we can do beyond continuously monitoring the threat landscape as always.

Thank you,
Wendy
Adobe Product Security Incident Response Team

-----Original Message-----
From: via web form [mailto:PSIRT@adobe.com]
Sent: Friday, November 09, 2012 6:44 AM
To: Adobe PSIRT
Subject: Adobe product security vulnerability feedback form

Name: Klaus Junke
Email: klaus.junke@googlemail.com
Phone: 0231-100193
CanAdobeContactUser: Yes
Product: Flash Player
ProductOther:
ProductVersion: 11.5.502.110
VulnerabilityDetail: Since about one year there exits the secunia security advisory SA47161. It descibes an exploit in FlashPlayerPlugIn. Does Adode have any interest in fixing this? Or is the advice not to use this plugin?

Thanks
Klaus
DefaultConfigVulnerable: Yes
ConfigChangesRequired:
VulerabilityResult: UnauthorizedAccess, DataLossCorruption, DenialServiceApplication
PartiesAffected: Adobe
HowToDuplicate: please see secunia SA47161
ExampleProgram: No
WorkaroundsFixes: No
WorkaroundsFixesDetail:
VulnerabilityBeingExploited: Yes

-----

Their reaction is a bit disappointing. Obviously adobe is not aware of this bug or they do not have any interest to fix it. This means better not to use the flash browser plugin.

Thanks
Klaus
Was this reply relevant?
+0
-0
dickvisser RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 10th Nov, 2012 12:55
Score: 2
Posts: 15
User Since: 14th Mar 2012
System Score: N/A
Location: NL
I'm not entirely sure, but I would expect a dedicated security team exists at Adobe Systems, and that due to organisational issues (too big company, too many layers, people not knowing what other people are working on), the person responding to this web form simply wasn't the right person.
Was this reply relevant?
+0
-0
klausus02 RE: Security Update for Flash 11.5.502.110 Released Yesterday, But
Member 10th Nov, 2012 13:07
Score: 89
Posts: 144
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Last edited on 10th Nov, 2012 13:39
@dickvisser

Sure. But I took the only possibility I have. Before using the web form I called some support phone number offered by adobe. But the guy couldn't give me some information and felt to be the wrong one because I am not a registered prof member of adobe. He recommended the web form. So, may be that adobe's support has potential for optimising...

We users have to decide.

edit
I just found at zdnet that since version 11.3 flashplayer is running inside a sandbox in firefox.

-> http://www.zdnet.com/blog/security/flash-player-sa...

If this is realy true then the advisory SA47161 could be unvalid for firefox. I'm not sure.

May be some Secunia official (E.Jeppesen ?) could provide more info.

And here a link to ithe Adobe Secure Software Engineering Team (ASSET) Blog /
-> http://blogs.adobe.com/asset/2012/06/inside-flash-...

Was this reply relevant?
+0
-0

This thread has been marked as locked.