Microsoft Security Advisory (979267) Vulnerabilities in Adobe Flash Player 6 Provided in Windows XP Could Allow Remote Code Execution Published: January 12, 2010
Version: 1.0 General Information Executive Summary
Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player provided by Adobe.
The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.
Advisory Details Affected and Non-Affected Software
This advisory discusses the following software. Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2 Non-Affected Software
Microsoft Windows 2000 Service Pack 4
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems Top of sectionTop of section
Frequently Asked Questions
What is the scope of the advisory? Microsoft is aware of vulnerability reports affecting Adobe Flash Player 6 provided in supported editions of Windows XP listed in the Affected Software section. This is an advisory to notify users to remove Adobe Flash Player 6 on Windows XP systems and/or to install the most current version of Flash Player available from Adobe.
What is Adobe Flash Player? Adobe Flash Player is a lightweight browser plug-in and runtime that delivers interactive content, video, and applications across operating systems and browsers. For more information on Adobe Flash Player, visit Adobe Flash Player Home.
What causes this threat? Multiple vulnerabilities exist in Adobe Flash Player 6 provided in Windows XP when used in a Web browsing scenario. An attacker who exploits these vulnerabilities could execute code on the affected system.
How could an attacker exploit the vulnerability? An attacker could host a specially crafted Web site that is designed to exploit these vulnerabilities through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
How do I remove Adobe Flash Player 6? There are multiple ways to remove Adobe Flash Player 6 on Windows XP systems. For directions on the manual steps required to remove Adobe Flash Player 6, see How to remove the Flash Player ActiveX control. Adobe also provides an uninstaller tool that removes Adobe Flash Player. For more information on the uninstaller tool, see How to uninstall the Adobe Flash Player plug-in and ActiveX control.
Note The uninstaller tool removes all versions of Adobe Flash Player and is not specific to Adobe Flash Player 6.
How do I install the latest version of Adobe Flash Player? To install the most current version of Adobe Flash Player, see Install Adobe Flash Player.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of this issue. The following mitigating factors may be helpful in your situation: •
Adobe Flash Player version 6 was only provided in Windows XP systems. All other supported versions of the Windows operating system do not include the Adobe Flash Player.
Perform one or both of the following steps: •
Uninstall the Adobe Flash Player version 6. •
Install the most current version of Flash Player available from Adobe.
Additional Suggested Actions •
Review the Microsoft Knowledge Base Article that is associated with this advisory
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about Microsoft security updates, visit Microsoft Security Central.
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. •
For more information about staying safe on the Internet, visit Microsoft Security Central. •
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Other Information Acknowledgments
Microsoft thanks the following for working with us to help protect customers: •
TippingPoint and the Zero Day Initiative for reporting vulnerabilities in Adobe Flash Player 6 •
Will Dormann of CERT/CC for reporting vulnerabilities in Adobe Flash Player 6 •
Carsten H. Eiram and Dyon Balding of Secunia for reporting vulnerabilities in Adobe Flash Player 6 Top of sectionTop of section Feedback •
You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us. Top of sectionTop of section Support •
Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support. •
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support. •
Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
V1.0 (January 12, 2010): Advisory published.