General :  K-Meleon Forum
General discussion about K-Meleon. 
Adobe Flash Player v10.0.45.2 - Critical Flash Player Bug Feb 2010
Posted by: Yogi
Date: February 12, 2010 01:36PM

Quote

Release date: February 11, 2010

A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.

Affected software versionsAdobe Flash Player 10.0.42.34 and earlier versions
Adobe AIR 1.5.3.1920 and earlier versions

download page
ZIP package

For most of you the below instruction is superfluous but nevertheless it might be useful for some noobs.

Extract the content of the zip.
Among the extracted files you will find the standalone player and the file "Install Flash Player 10 Plugin.exe".
You can now extract from the latter the browser plugin (NPSWF32.dll) bei using UniExtract or 7z.



Edited 1 time(s). Last edit at 02/14/2010 03:25PM by disrupted.

Options: ReplyQuote
Critical Flash Player Bug Feb 2010
Posted by: ndebord
Date: February 12, 2010 08:34PM

http://www.adobe.com/support/security/bulletins/apsb10-06.html

"the attacker would be able to execute a general class of cross-site request forgery type of attacks..."

This is an off-cycle patch. Normally Adobe only patches quarterly.

N

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: ndebord
Date: February 14, 2010 12:21PM

http://www.adobe.com/software/flash/about/

Adobe Flash 10,0,45,2 released is a security update


At the very least, you should update your NPSWF32.DLL file in KM's Plugins folder.

N

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: disrupted
Date: February 14, 2010 03:24PM

flashswitcher has been updated to latest 10.0.45.2 (available from web dev page). flashplugin(standalone) has been updated available from browser plugins page.

as always the npswf32.dll has been hexed to enable saving embedded videos in the tmp directory as *.tmp files instead of getting deleted as soon as the video has stop playing
http://kmext.sf.net/scripts/hexingflash

special thanks to andy from ferretsofthttp://ferretsoft.active.ws/ for the tip

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: ndebord
Date: February 14, 2010 10:10PM

disrupted,

I don't know what hex program you use, but I use an old DOS one.

So when you find this hex string:

14 6A 02 6A 00

you patch it by changing it to:

10 6A 02 6A 01

At least that is what I think you do??? Am I close or???

Tks.

N

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: siria
Date: February 14, 2010 11:50PM

Thanks for the info Yogi.

For the dwindling numbers of 9x users, the flash9-plugin has been updated too:
http://kb2.adobe.com/cps/406/kb406791.html

The "Netscape" one is for KM. The download is an exe-file but can simply be unzipped with 7zip, to get the new plugin NPSWF32.dll (version 9-0-262-0)

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: Yogi
Date: February 15, 2010 05:15AM

Quote
ndebord
disrupted,

I don't know what hex program you use, but I use an old DOS one.

So when you find this hex string:

14 6A 02 6A 00

you patch it by changing it to:

10 6A 02 6A 01

At least that is what I think you do??? Am I close or???

Tks.

Disrupted may confirm me or not.
As far as I can see you are right smiling smiley
You can verify the MD5 of your patched file with that of Disrupted's one.
The tool he used is AXE.

You can use several freeware editors for this purpose. HEXEdit comes to my mind but it's just one of many.



Edited 1 time(s). Last edit at 02/15/2010 05:16AM by Yogi.

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: ndebord
Date: February 15, 2010 10:57AM

Quote
Yogi


Disrupted may confirm me or not.
As far as I can see you are right smiling smiley
You can verify the MD5 of your patched file with that of Disrupted's one.
The tool he used is AXE.

You can use several freeware editors for this purpose. HEXEdit comes to my mind but it's just one of many.

Yogi,

Thanks... just wanted to make sure. As for the hex editor, I use a very old one.

dBUG V 2.0 (c) 1984,1988 William Schroeder

N

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: disrupted(unlogged)
Date: February 15, 2010 11:42PM

there's no need to hex out the flash plugin if you've downloaded it or flash switcher from kmext..they have been hexed already, it was just a reference for the future if anyone needs it

that was an ancient abandonware version of axe which still works great, it comes with own free serial but there's not much point cause there are many good freeware alternatives now.

this is what i normally use:
http://www.mitec.cz/hex.html

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: ndebord
Date: February 16, 2010 06:24AM

Quote
disrupted(unlogged)
there's no need to hex out the flash plugin if you've downloaded it or flash switcher from kmext..they have been hexed already, it was just a reference for the future if anyone needs it

that was an ancient abandonware version of axe which still works great, it comes with own free serial but there's not much point cause there are many good freeware alternatives now.

this is what i normally use:
http://www.mitec.cz/hex.html

disrupted,

Yes, I did use your patched version at first, then I got bored and decided to patch one myself, just to see if it would work!

N

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: Kamelot
Date: February 17, 2010 01:57AM

Mmmmh... I don't have this .dll in plugins folder of KM. Player Flash works smoothly! ???

I extracted NPSWF32.dll and I copied it in KM plugins folder, but, (from abouttongue sticking out smileylugins) KM always use old version (r42):

Quote
abouttongue sticking out smileylugins
Shockwave Flash

File name: NPSWF32.dll
Shockwave Flash 10.0 r42

I see this file is in Windows' directory.
Maybe I have to overwrite this file?

Thanks.

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: disrupted
Date: February 17, 2010 06:21AM

that's not right, kmeleon or any gecko will never use the global plugin if it finds one in its plugins folder.. did you try to replace the plugin when the browser was running? you can not replace a dll when it's been called like a flash website.

try again, make sure the browser is closed(including loader if applicable), replace the dll and make sure it was over-written, you can check that by right clicking on npswf.dll and checking the versions in porperty sheet

also do this, go to about:config and search for this pref:
plugin.expose_full_path
set it to true

open about plugins page(help>about plugins)
and see the path for the npswf32.dll..it should be pointing to the one in your plugins folder

Options: ReplyQuote
Re: Critical Flash Player Bug Feb 2010
Posted by: Kamelot
Date: February 18, 2010 03:34PM

Quote
disrupted
[...] try again, make sure the browser is closed(including loader if applicable)[...]
Thanks, disrupted, I was a fool: the problem was that I did it with KM open!tongue sticking out smiley

Quote
disrupted
...also do this, go to about:config and search for this pref:
plugin.expose_full_path
set it to true
I didn't know this trick: now I can see full path.
Sorry, but I'm novice user of KM. smiling smiley

Thanks again.

Options: ReplyQuote


K-Meleon forum is powered by Phorum.