Security Bulletin

Microsoft Security Bulletin MS06-069 - Critical

Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)

Published: November 14, 2006 | Updated: May 13, 2008

Version: 2.0

Summary

Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: This bulletin is for customers using Macromedia Flash Player version 6 from Adobe. Customers that have followed the guidance in Adobe Security Bulletin APSB06-11, issued September 12, 2006, are not at risk from these vulnerabilities.

Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition. Other versions of Windows are not affected or not supported by this security update. Customers with Flash Player installed on other versions of the operating system or customers who have upgraded to Flash Player 7 or higher are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-11.

Microsoft Knowledge Base Article 923789 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 923789.

Tested Software and Security Update Download Locations:

Affected Software:

Non-Affected Software:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Windows Vista

Note Flash Player does not ship with the versions of Microsoft Windows in the Non-Affected Software list. Customers who have installed Flash Player on these versions of Windows are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-11.

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

General Information

Executive Summary

Executive Summary:

This update resolves privately reported vulnerabilities in Macromedia Flash Player from Adobe, version 6.0.84.0 and earlier. Macromedia Flash Player is a third party software application that also was redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition. Each vulnerability is documented in the "Vulnerability Details" section of this bulletin. The Adobe Security Bulletin APSB06-11, issued September 12, 2006, describes the vulnerabilities and provides the download locations for customers who have installed Flash Player 7 and higher so that you can install the appropriate update based on the version of Flash Player you are using. Customers that have followed the guidance in the Adobe Security Bulletin are not at risk from these vulnerabilities.

If a user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact of Vulnerability Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows Server 2003 Windows Server 2003 Service Pack 1
Macromedia Flash Player Vulnerabilities - CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640 Remote Code Execution Not applicable Critical Not applicable Not applicable

Note Flash Player does not ship with Microsoft Windows 2000 Service Pack 4, Windows Server 2003 and Windows Server 2003 Service Pack 1. Customers who have installed Flash Player on these versions of Windows are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-11.

Note The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:

  • The Windows XP Professional x64 Edition severity rating is the same as the Windows XP Service Pack 2 severity rating.
  • The Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.
  • The Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.
  • The Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.

This assessment is based on the types of systems that are affected by these vulnerabilities, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Why was this Bulletin revised on May 13, 2008?
This bulletin was revised to add Windows XP Service Pack 3 as affected software. This is a detection update only. There were no changes to the binaries, since the same update for Windows XP Service Pack 2 and Windows XP Professional x64 Edition applies to Windows XP Service Pack 3. Customers with Windows XP Service Pack 2 and Windows XP Professional x64 Edition who have already installed the security update will not need to reinstall the update. Customers with Windows XP Service Pack 3 should apply the update immediately.

Is Flash Player a Microsoft technology?
No. This software is made by Adobe Systems Inc., formerly Macromedia, Inc.

Is MacromediaFlash Player redistributed by Microsoft?
Yes. Some versions of Flash Player have been redistributed by Microsoft. The supported versions of Windows that redistribute Flash Player are Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition. No other supported versions of Windows redistribute Flash Player. Other software applications from Microsoft may also redistribute Macromedia Flash Player.

Note that if you use the 64-bit version of Internet Explorer on Windows XP Professional x64 Edition you do not have MacromediaFlash Player available to you. The Macromedia Flash Player included with Windows XP Professional x64 Edition is the 32-bit version.

What updates does this release replace?
This security update replaces a prior security update. The security bulletin ID and affected operating systems are listed in the following table.

Bulletin ID Windows 2000 Windows XP (all versions) Windows Server 2003 (all versions)
MS06-020 Not applicable Replaced Not applicable

Which versions of the Macromedia Flash Player from Adobe are redistributed with Windows?

Microsoft Windows version Macromedia Flash Player from Adobe Filenames and Versions
Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3 Flash.ocx 6.0.79
Microsoft Windows XP Professional x64 Edition Flash.ocx 6.0.79

Note Microsoft Security Bulletin MS06-020 was released on May 9, 2006 and provided updates for customers using these versions of Flash Player. Customers who do not use version 7, 8, or 9 of Flash Player would, if they have applied MS06-020, have version 6.0.84 of Flash Player.

I use a version of Windows that is not listed in this table. Might I still have the Macromedia Flash Player installed on my system?
Yes. Flash Player is available for download from Adobe Systems, Inc. (formerly Macromedia, Inc). MacromediaFlash Player also may have been installed or required by another software application. You can determine whether you have Macromedia Flash Player installed and if so, determine what version by visiting the following Adobe Web site. If you have a version of Flash Player earlier than 7.0.65.0 or 8.0.33.0, you have a version that may be affected by the reported vulnerabilities.

The Adobe Security Bulletin discusses the vulnerabilities and provides the download locations so that you can install updated versions of Flash Player.

Note If you do not have MacromediaFlash Player installed the Adobe Web site will prompt you to install the latest version of Macromedia Flash Player.

I have a MacromediaFlash Player version earlier than version 7 on my system. What can I do?
If you are using any of the Windows versions called out in “Which versions of the Flash Player are redistributed with Windows?” you can visit Windows Update to receive security updates for these versions of Windows. If you use any other supported Windows version, or if you are using Flash Player 7 and higher, you can visit the Adobe download center as called out under the affected software section of the Adobe security bulletin to install the update

Extended security update support for Microsoft Windows XP Home Edition Service Pack 1 or Service Pack 1a, Windows XP Media Center Edition 2002 Service Pack 1, Windows XP Media Center Edition 2004 Service Pack 1, Windows XP Professional Service Pack 1 or Service Pack 1a, and Windows XP Tablet PC Edition Service Pack 1 ended on October 10, 2006. I am still using one of these operating systems; what should I do?
Windows XP (all versions) Service Pack 1 has reached the end of its support life cycle. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Extended security update support for Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems, what should I do?
Windows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Extended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?
Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Customers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
The following table provides the MBSA detection summary for this security update.

Product MBSA 1.2.1 Enterprise Scanning Tool (EST) MBSA 2.0
Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3 No Yes Yes
Microsoft Windows XP Professional x64 Edition No No Yes

For more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.

For more detailed information, see Microsoft Knowledge Base Article 910723.

What is the Enterprise Update Scan Tool (EST)?
As part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command-line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.

Can I use a version of the Enterprise Update Scan Tool (EST) to determine whether this update is required?
Yes. Microsoft has created a version of EST that will determine if you have to apply this update. For download links and more information about the version of EST that is being released this month, see Microsoft Knowledge Base Article 894193. SMS customers should review the following FAQ, “Can I use Systems Management Server (SMS) to determine whether this update is required?" for more information about SMS and EST.

Can I use Systems Management Server (SMS) to determine whether this update is required?
The following table provides the SMS detection summary for this security update.

Product SMS 2.0 SMS 2003
Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3 Yes (With EST) Yes
Microsoft Windows XP Professional x64 Edition No Yes

SMS 2.0 and SMS 2003 Software Update Services (SUS) Feature Pack can use MBSA 1.2.1 for detection and therefore have the same limitation that is listed earlier in this bulletin related to programs that MBSA 1.2.1 does not detect.

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about SUIT, visit the following Microsoft Web site. For more information about the limitations of SUIT, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723.

Can I use SMS to determine if the Macromedia Flash Player is installed on a system?
Yes. SMS can help detect if the Macromedia Flash Player is installed on a system. SMS can search for the existence of the file Flash.ocx. Flash.ocx version 6.0.84.0 or earlier may be vulnerable. This security update installs Flash6.ocx version 6.0.88.0 and removes the version of Flash.ocx it is replacing.

Vulnerability Details

Macromedia Flash Player Vulnerabilities - CVE-2006-3311, CVE-2006-3014, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640:

Several remote code execution vulnerabilities exist in Macromedia Flash Player from Adobe because of the way that it handles Flash Animation (SWF) files. An attacker could exploit these vulnerabilities by constructing a specially crafted Flash Animation (SWF) file that could potentially allow remote code execution if a user visited a Web site containing the specially crafted SWF file. The specially crafted SWF file could also be sent as an e-mail attachment. A user would only be at risk if opening this e-mail attachment. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

Mitigating Factors for Macromedia Flash Player Vulnerabilities - CVE-2006-3311, CVE-2006-3014, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640:

  • Customers that have followed the guidance in Adobe Security Bulletin APSB06-11 are not at risk from the vulnerabilities.
  • By default, Microsoft Windows 2000 Service Pack 4, Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 do not ship with Flash Player installed. However, customers that have installed a version of Macromedia Flash Player on these versions of Windows are encouraged to follow the guidance in the Adobe Security Bulletin APSB06-11.
  • In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit these vulnerabilities. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
  • An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • The Restricted sites zone helps reduce attacks that could try to exploit these vulnerabilities by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario described previously. By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.

Workarounds for Macromedia Flash Player Vulnerabilities - CVE-2006-3311, CVE-2006-3014, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

  • Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP Service Pack 2
    You can help protect against these vulnerabilities by temporarily preventing the Flash Player ActiveX control from running in Internet Explorer. On Windows XP Service Pack 2 use the Internet Explorer Manage Add-ons feature to disable the ActiveX control.

    1. Start Internet Explorer.
    2. On the Tools menu, click Manage Add-ons.
    3. Locate and click on “Shockwave Flash Object”.
    4. To disable the add-on, click Disable, and then click OK.

    Note If you cannot locate the ActiveX control then use the drop-down box to switch from “Add-ons currently being used in Internet Explorer” to “Add-ons that have been used by Internet Explorer” and follow steps 3 and 4. If the ActiveX control is not present in this list you either have not used the ActiveX control before or it is not present on your system. See the workaround “Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer” for additional information.

    For more information on the Internet Explorer Manage Add-ons feature in Windows XP Service Pack 2, see Microsoft Knowledge Base Article 883256.

    Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

    To regain functionality you need to use the Internet Explorer Manage Add-ons feature to enable the ActiveX control.

  • Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer
    Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.

    Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    We recommend that you back up the registry before you edit it.

    Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Flash Player ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}] "Compatibility Flags"=dword:00000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}] "Compatibility Flags"=dword:00000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}] "Compatibility Flags"=dword:00000400

    Close Internet Explorer, and reopen it for the changes to take effect.

    For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Flash Player ActiveX control from running in Internet Explorer.

    Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

    To regain functionality you need to undo the kill bits for the Flash Player ActiveX control remove the registry keys added to temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer.

  • Modify the Access Control List on the Flash Player ActiveX control to temporarily prevent it from running in Internet Explorer
    To modify the Access Control List (ACL) on the Flash Player ActiveX control to be more restrictive, follow these steps:

    1. Click Start, click Run, type "cmd" (without the quotation marks), and then click OK.

    2. Type the following commands at a command prompt. Make a note of the current files ACLs, including inheritance settings. You may need this list if you have to undo these modifications:

      cacls %windir%\system32\Macromed\Flash\Flash.ocx

    3. Type the following command at a command prompt to deny the ‘everyone’ group access to this file:

      echo y|cacls %windir%\system32\Macromed\Flash\Flash.ocx /d everyone

    4. Close Internet Explorer, and reopen it for the changes to take effect.

    Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

    To regain functionality you need to undo the modifications to the Access Control List on the ActiveX control you have on your system.

  • Un-register the Flash Player ActiveX Control
    To un-register the Flash Player ActiveX control, follow these steps:

    1. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\Flash.ocx" (without the quotation marks), and then click OK.
    2. A dialog box confirms that the un-registration process has succeeded. Click OK to close the dialog box.
    3. Close Internet Explorer, and reopen it for the changes to take effect.

    Impact of Workaround: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

    To reregister the Flash Player ActiveX control, follow these steps:

    1. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\Flash.ocx" (without the quotation marks), and then click OK.
    2. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.
    3. Close Internet Explorer, and reopen it for the changes to take effect.
  • Restrict access to the Macromedia Flash folder by using a Software Restriction Policy
    To restrict access to the Macromedia Flash folder (%windir%\system32\Macromed\Flash\) on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Flash Player ActiveX control.

    For more information about Group Policy, visit the following Microsoft Web sites:

    Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    We recommend that you back up the registry before you edit it.

    Use the following text to create a .reg file to restrict access to the Macromedia Flash folder. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers] "TransparentEnabled"=dword:00000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{2742f840-c2d8-4eb3-a486-0a9d0879f29f}]
    "LastModified"=hex(b):10,c3,8a,19,c6,e3,c5,01
    "Description"="Block Macromedia Flash"
    "SaferFlags"=dword:00000000
    "ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
    79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,63,00,72,00,6f,\
    00,6d,00,65,00,64,00,5c,00,66,00,6c,00,61,00,73,00,68,00,5c,00,2a,00,00,00

  • Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone
    You can help protect against these vulnerabilities by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

    1. In Internet Explorer, click Internet Options on the Tools menu.
    2. Click the Security tab.
    3. Click Internet, and then click Custom Level.
    4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
    5. Click Local intranet, and then click Custom Level.
    6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
    7. Click OK two times to return to Internet Explorer.

    Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

    Restrict Web sites to only your trusted Web sites.

    After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

    To do this, follow these steps:

    1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
    2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
    3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
    4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
    5. Repeat these steps for each site that you want to add to the zone.
    6. Click OK two times to accept the changes and return to Internet Explorer.

    Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

  • Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones
    You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

    To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

    1. On the Internet Explorer Tools menu, click Internet Options.
    2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
    3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

    Note If no slider is visible, click Default Level, and then move the slider to High.

    Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

    Impact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

  • Remove the Flash Player from your system
    If you want to remove the Macromedia Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.

    To regain functionality you need install the current version of the MacromediaFlash Player ActiveX control from the Adobe Web site.

FAQ for Macromedia Flash Player Vulnerabilities - CVE-2006-3311, CVE-2006-3014, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640:

What is the scope of the vulnerability?
These are remote code execution vulnerabilities. If a user is logged on with administrative user rights, an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
Memory corruptions when loading specially crafted SWF files in the Macromedia Flash Player from Adobe.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited any of these vulnerabilities could take complete control of the affected system.

How could an attacker exploit the vulnerability?
An attacker could host a Web site containing the specially crafted SWF file that is designed to exploit one or more of these vulnerabilities through Internet Explorer and then convince a user to view the Web site. The specially crafted SWF file could also be sent as an e-mail attachment. A user would only be at risk if opening this e-mail attachment.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerabilities by modifying the way that the Flash Player handles Flash Animation (SWF) files.

When this security bulletin was issued, had these vulnerabilities been publicly disclosed?
Microsoft had not received any information to indicate that these vulnerabilities have been publicly disclosed when this security bulletin was originally issued. These vulnerabilities are also discussed in the Adobe Security Bulletin APSB06-11.

When this security bulletin was issued, had Microsoft received any reports that these vulnerabilities were being exploited?
No. Microsoft had not received any information to indicate that these vulnerabilities have been publicly used to attack customers.

Security Update Information

Affected Software:

For information about the specific security update for your affected software, click the appropriate link:

Windows XP (all versions)

Prerequisites This security update requires Microsoft Windows XP Service Pack 2 or a later version. For more information, see Microsoft Knowledge Base Article 322389.

Inclusion in Future Service Packs The update for this issue may be included in future Service Packs or Update Rollups for Windows versions that included Flash Player in their original distribution.

Installation Information

This update uses the IExpress installer technology. For more information on IExpress, please see Microsoft Knowledge Base Article 197147.

This security update supports the following setup switches.

Switch Description
Setup Modes
/q Specifies quiet mode, or suppresses prompts, when files are being extracted.
/q:u Specifies user-quiet mode, which presents some dialog boxes to the user.
/q:a Specifies administrator-quiet mode, which does not present any dialog boxes to the user.
Restart Options
/r:n Never restarts the computer after installation.
/r:i Prompts the user to restart the computer if a restart is required, except when used with /q:a.
/r:a Always restarts the computer after installation.
/r:s Restarts the computer after installation without prompting the user.
Special Options
/t:<full path> Specifies the target folder for extracting files.
/c Extracts the files without installing them. If /T: path is not specified, user will be prompted for a target folder.
/c:<Cmd> Override Install Command defined by author. Specifies the path and name of the Setup .inf or .exe file.

Note These switches do not necessarily work with all updates. If a switch is not available, then that functionality is necessary for the correct installation of the update. Also, the use of the /N:V switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it failed to install.

For additional information about the supported setup switches, see Microsoft Knowledge Base Article 197147.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt:

Windows-kb923789-x86-enu /q:a

For information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.

Restart Requirement

This update does not require a restart.

Removal Information

This security update cannot be removed.

If you want to remove the Macromedia Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.

To regain functionality you need install the current version of the MacromediaFlash Player ActiveX control from the Adobe Web site.

File Information

The English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Professional Service Pack 3, Windows XP Tablet PC Edition 2005, Windows XP Media Center Edition 2005, and Windows XP Professional x64 Edition:

File Name Version Date Time Size
Geninst.exe 6.0.2800.1571 24-Aug-2006 00:49 27,136
Genuinst.exe 6.0.2800.1531 21-Jan-2006 23:01 25,088
Install_fp6_wu_r88.exe 02-Aug-2006 07:55 478,360

Note Geninst.exe is an installer wrapped in an IExpress installer package. This table lists the files included in the IExpress package. This security update installs Flash6.ocx version 6.0.88.0and removes the version of Flash.ocx it is replacing.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer
    To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

  • Registry Key Verification
    You may also be able to verify the files that this security update has installed by reviewing the following registry key.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5056b317-8d4c-43ee-8543-b9d1e234b8f4}

  • Online verification
    Users may verify the installed version by visiting the AdobeWeb site.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Obtaining Other Security Updates:

Updates for other security issues are available at the following locations:

Support:

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.

Windows Server Update Services:

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.

For more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scan Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (November 14, 2006): Bulletin published.
  • V1.1 (November 15, 2006): Bulletin revised to clarify that this security update installs Flash6.ocx version 6.0.88.0 and removes the version of Flash.ocx it is replacing.
  • V2.0 (May 13, 2008): Bulletin updated to add Windows XP Service Pack 3 as affected software. This is a detection update only. There were no changes to the binaries.

Built at 2014-04-18T13:49:36Z-07:00