[OT] Re: FW: US-CERT Technical Cyber Security Alert TA06-075A -- Adobe Macromedia Flash Products Multiple Vulnerabilities

Mon Mar 20 02:18:47 UTC 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gene Heskett wrote:
> I have that same problem.  First, this advisory is a wee bit old,
> and second the files in that rpm are as you say, obviously dated to
> well before this vulnerability was published.  Like Dec 8, 2005.

Well, we're far off topic here, but in the hopes of adding
useful knowledge to the pool, here are a few comments.

Looking at the CVE[1], it appears that this issue was assigned on
2005/11/30.  So it's very possible that Macromedia had a chance to
update their legacy 7x flash code by the 8th.

Sure, the files from the Macromedia archive are dated Dec 8 and they
didn't issue the advisory until Mar 14.  This could be due to any
number of factors.  Maybe developing a fix for the newer 8x flash
player (for windows and mac, not *nix) took longer.  Or it could be
that some of Macromedia's partners needed/wanted more time to get
patches integrated before the security hole was released.

It's also quite possible that Macromedia just isn't as fast to push
out patches as many of us in the free software world are used to.

> If this is indeed a vulnerability fix, I think we have a reasonable
> expectation of finding the executable code at least as new as the
> show-license file.

Why?  The show-license file is something added in packaging the rpm,
not a part of the tarball that Macromedia provides.

> Something doesn't quite smell edible here methinks.

But then the question is, what steps have you taken to verify your
suspicions? :)

Here's a few minutes worth of investigation (yeah, I should have
probably spent this time on one of the many packages in Legacy queue).

    The changelog for the rpm states:

        * Wed Mar 15 2006 Warren Togami <wtogami at redhat.com> 7.0.63-1
        - CVE-2006-0024

    The rpm is signed with the security at fedora.us key.

    The md5sum of the tarball from Macromedia's site matches that of
    the tarball in the flash-plugin SRPM.

    The Macromedia tarball's Readme.txt says:

        "Users should only install Players that have been downloaded
        from trusted sources, such as http://www.macromedia.com/ or
        http://macromedia.mplug.org/"

    (So Macromedia is showing their trust in the mplug distribution
    site, for what that's worth.  I figure if you trust them enough to
    run their [closed source] code on your box, that you might also
    trust them if they point you to a download site.)

Unless there's been a breach of the fedora.us key that I don't know
about, I take the above as plenty of evidence that there isn't
anything suspicious about the flash-plugin rpm.

[1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
...more people are driven insane through religious hysteria than by
drinking alcohol.
    -- W.C. Fields

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkQeEQcmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1rbCQCgzVrV/2sgVstp4drHB3937vp3BxcAoMSn3QRL
zq5BZWdTYabiqzyZWFKl
=j96R
-----END PGP SIGNATURE-----