Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Malvertisements

  1. #1
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Malvertisements

    From the latest Windows Secrets Newsletter here: Flash ads bearing malware plague popular sites

  2. #2
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: Malvertisements

    Thanks! I ran the Secunia tool, and although I had the latest version of the Flash player, it turned out that an older (vulnerable) version was also still installed (no idea why). It's gone now!

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Malvertisements

    Hmmm, over the years I've posted a few Flash movies created with cheap or free tools. I wonder if any are vulnerable to this problem?

    Anyway, for Firefox users, the NoScript extension is a helpful layer of protection. NoScript is a bit of a hassle to "train" to recognize sites you trust, but as you build up its list, I think most people patient enough to use it find it to be a fantastic way to reduce annoyances as well as security risks.

    NoScript site: http://noscript.net/
    Blog entry about NoScript and the Flash vulnerability: http://hackademix.net/2008/01/06/flash-xss...tion-for-users/

  4. #4
    Plutonium Lounger
    Join Date
    Oct 2001
    Location
    Lexington, Kentucky, USA
    Posts
    12,107
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Malvertisements

    For the possible benefit of any other Loungers following our lead, I post this. When I made the original post this morning, I didn't have time to run that tool, so I did so when I returned this afternoon. Boy, did I ever get a list of problem installations! I had QuickTime, iTunes, RealPlayer, WinZip and Firefox versions installed that ALL were considered insecure. After removing all of those apps, I was left with several versions of Sun Java that are deemed insecure. By the time I removed ALL of those, the tool would no longer run until I installed the latest Java runtime!

    Anyway, I did all of that and now I've got only Winzip 9 to deal with and I suppose it's time that I upgrade to WinZip 11 since I've been a user of that software for so many years.

    BTW, I don't know if "trusted sites" is good enough, since USA Today would have been very high on my list of trusted sites.

  5. #5
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    Hans,

    Please provide a link (or a brief description) for how to remove the old version of Flash (9.0.47.0) that Secunia found on my system.

    I carefully followed the instructions on the Adobe website and removed what I found on my machine with "Add Remove Programs" and then reinstalled 9.0.124.0, but the old version is still there. I'd don't think that XP is finding (9.0.47.0) which Secunia says is in

    C:WINDOWSSYSTEM32MacromedFlashFlash9d.ocx

    I trust that it is not as simple as just exploring to the address and deleting a file. There must be one or more registry entries that need correcting as well, no?

    I doubt I am the only reader who will have trouble dealing with this. Search on the Adobe website dumps a whole truckload of false positive hits.

    Thanks,
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  6. #6
    Plutonium Lounger
    Join Date
    Mar 2002
    Posts
    84,353
    Thanks
    0
    Thanked 29 Times in 29 Posts

    Re: Malvertisements

    I uninstalled Flash Player through the Add or Remove Programs control panel, then ran the registry cleaner part of CCleaner. It found a bunch of Flash-related registry entries, and I let it remove them. I then reinstalled the latest version of Adobe Flash. Secunia now gave me a clean bill of health.

  7. #7
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    Thank you Hans,

    I will download CCleaner.

    I went back to Secunia and rescanned. The first time I only paid attention to the "warning" hit which was expanded. This time I expanded the hit for the 9.0.124.0 version of FlashPlayer.

    The old version is shown to be in:

    C:WINDOWSSYSTEM32MacromedFlashFlash9d.ocx

    and the 9.0.124.0 version is shown to be in:

    C:WINDOWSSYSTEM32MacromedFlashNPSWF32.dll

    My understanding is that I should uninstall 9.0.124.0 using "Add Remove Programs." Do I then navigate to

    C:WINDOWSSYSTEM32MacromedFlashFlash9d.ocx

    and delete

    Flash9d.ocx

    since it appears that "Add Remove Programs" didn't find it when I last went through the whole 'install the latest version' rigamarole a week or so ago.

    I think that the last time I installed Flash I'd found a page at Adobe that warned me that in addition to uninstalling any previous version I also had to shut down all the running programs I could find before installing the newest Flash plug-in. That seemed strange to me, but I did it.

    Thanks again,
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Malvertisements

    There are two sets of Flash files. The Firefox plugin is the file whose name starts with NP, and the ActiveX controls for IE have a .ocx extension. My current .ocx file is:

    C:WINDOWSsystem32MacromedFlashFlash9f.ocx

    To get the new .ocx, visit Adobe.com with Internet Explorer and update the Flash player.

    As for the older .ocx files, I just deleted or renamed the Flash9n.ocx files manually. There might be some registry entries that point to those old .ocx files, but I didn't hunt them down. I suppose I might get an error message some day if a page tries to run a specific older version of the plugin, but I don't expect any major system instability. I use IE sparingly, so YMMV.

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Malvertisements

    <hr>BTW, I don't know if "trusted sites" is good enough, since USA Today would have been very high on my list of trusted sites.<hr>
    NoScript sanitizes suspicious URLs that appear to be cross-site scripting attacks. It's that anti-XSS feature that would be helpful in this case.

  10. #10
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    This just gets more confusing with every move!

    I ran Add Remove Programs and removed the most recent version of Flash. For good measure I also removed Shockwave Player on the chance that it contained a version of Flash. I went back to Secunia and enabled the “thorough system inspection” box and it reports the presence of both versions of Flash as before! I have a screen dump to prove it. I went back to Add Remove Programs and it no longer shows Flash at all!

    I downloaded CCleaner and ran the Registry application with only "Obsolete Software" checked. It found a key for 'lameme' which I believe is part of the Sourceforge Audacity package. I tried some of the other selections and found nothing that referenced Flash.

    In the Uninstall tool I found no references to Flash unless Adobe Common File Installer is significant.

    What next? I know I can use ZTree to find the path that Secunia revealed. I can easily change any attributes to allow all of the files and then the directory folder to be deleted. My limited knowledge of XP suggests that this won't cut it. Am I wrong?

    Thanks,
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  11. #11
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    Cumberland, Maryland, USA
    Posts
    880
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    Go to How to uninstall the Adobe Flash Player . . . , following the instructions, and then to Install Adobe Flash Player .

  12. #12
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    J

    Thank you for the insight.

    I do not believe that I saw any instructions that said that I needed to download the Flash player twice, once with SeaMonkey and then again with IE.

    Like you, I avoid IE as much as I can.

    I'll delete the entire Flash folder and then redownload Flash. Do I get two different executables for separate wizards, one for IE and a second for SeaMonkey?

    A careful look at the current MacromediaFlash directory shows that it contains:

    install.log
    uninstall_plugin.exe
    NPSWF32_FlashUtil.exe
    NPSWF32.dll
    flashplayer.xpt
    Flash9d.ocx
    FlashUtil9d.exe
    KB923789.inf
    genuinst.exe

    So the .ocx on my system is 9d instead of 9f.

    The installer I have appears to have been downloaded on 4/11/08. Its properties say it was created on Wednesday, March 12, 2008, 7:35:02 PM. It has a file version 9.0.124.0 with an 'other version' value of 1.0.20.

    And we spend all this time trying understand so that some website designer can have 'whiz/bang' on the website at the expense of all of us because the underlying software is full of holes for the 'malware community' to seek out and abuse so that Adobe looks bad. There must be a lesson here somewhere.

    My mileage may vary, I find that it does with my 2004 Prius, too. Perhaps my accelerator pedal foot is a bit too heavy.

    Thanks to all
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  13. #13
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    DenGar,

    I only found your entry when I returned to the forum one last time before bedtime.

    Thanks, you confirm what I was told to do at:

    http://groups.google.com/group/microsoft.p...5bcac29a?hl=en#

    and Adobe tells us with a straight face (I think) "Due to recent enhancements to the Adobe Flash Player installers, you can now remove the player only by using the Adobe Flash Player uninstaller."

    An enhanced product which is no longer subject to the "Add/Remove Programs" feature of the OS!

    Go figure!
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  14. #14
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Malvertisements

    Hello All,

    I ran the Adobe uninstaller with everything in the System Tray off that I could shut off, even avast!

    It reported a successful uninstall!

    However, someone forgot something at Adobe!

    Here is what Secunia found, only after I checked the box (Enable thorough system inspection. Enable the Secunia Software Inspector to search for software installed in non-default locations.)

    This installation of Adobe Flash Player 9.x is insecure and potentially exposes your system to security threats!

    The detected version installed on your system is 9.0.45.0, however, the latest secure version released by the vendor, fixing one or more vulnerabilities, is 9.0.124.0.

    Update Instructions:
    Update to version 9.0.124.0.
    http://www.adobe.com/go/getflash

    NOTE: When updating Flash Player, older versions are not always automatically removed from your system. If older versions were detected that you believe should not be present, then please contact the vendor regarding how to remove them from your system.

    Vulnerabilities Fixed:
    Read about the vulnerabilities fixed with this update in Secunia advisory SA28083 (opens in a new window). The Secunia advisory describes the vulnerabilities fixed by the latest security update. If your installation is outdated with more than one version, then more vulnerabilities may be covered.

    Installed on Your System in:
    C:Program FilesAdobeAdobe Premiere Elements 4.0BrowserpluginsNPSWF32.dll

    Adobe forgot that Adobe Premiere Elements also installs the plugin, and it uses the one on the CD!

    It is a bit disturbing that Secunia did not find this error earlier this afternoon. I've done nothing with Premiere Elements since I installed it days ago.

    I thought everyone should know this.
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  15. #15
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Malvertisements

    For some reason, I find that installing from the downloadable installer for Firefox (etc.) does not update the ActiveX plugin used in IE. Not sure why.

    It's interesting that your file name has a "d" in it. I deleted that one and besides the current one with "f" in the name, I have a renamed file with "e" in the name which is version 9.0.115.0. Maybe the name of the .ocx is incremented every time you update?? One other way to check the currency might be to right-click the .ocx file and check Properties. My dialog lists this digital signature date: Monday, March 24, 2008 7:32:42 PM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •