Flash still not patched
Ryan Naraine took at look at the Google Analytics for a couple sites and notes that those visitors aren't patching their flash.
I'm seeing the same types of thing he's seeing when I look in the Google Analytics report for www.infosecblog.org.
Nearly 30% report that they are running unpatched Flash 9.0 r115.
You'd think if you were at a security blog, reading about Flash updates, that you might want to check if your Flash is up to date.
I'm a little surprised to hear people say that Adobe doesn't have a Flash update mechanism. Until I killed the updater in our environment, users where prompted to update if one was available at the time they accessed a Flash applet.
At Shmoocon, one of the sessions discussed passive vulnerability fingerprinting like this. If you don't have the ability to do authenticated scans on your look for opportunities like this to gather version information from the logs.
Categories
General0 TrackBacks
Listed below are links to blogs that reference this entry: Flash still not patched .
TrackBack URL for this entry: http://www.infosecblog.org/mt-tb20071121.pl/736
2 Comments
Leave a comment
Powered by Ajax Comments
XP SP3 contains version 115; installing sp3 downgrades your flash player.
http://www.adobe.dougwinnie.com/?p=20
I was meaning to blog about that last week. I did mention it at work, but never got it on the blog.
I installed xpsp3 on my home computer. Secunia Personal Software Inspector alerted that I had an old version of Flash, but it was not build 115. The sp3 install aded flash.ocx version 6.0.79.0.
Secunia likes to go nuts about old verisons of flash so I just renamed the file. IE can only use one version of flash at a time. I verified the version I was running (build 124 for both IE and Firefox) and called it a day.
I'm not sure what other people are seeing but I definately didn't see build 115 replace build 124. I'll have to watch for that as I upgrade other computers.