MS06-020: Vulnerabilities in Macromedia Flash Player from Adobe could allow remote code execution

Microsoft has released security bulletin MS06-020. The security bulletin contains all the relevant information about the security update for Macromedia Flash Player from Adobe. This includes file manifest information and deployment options. To view the security bulletin, visit one of the following Microsoft Web sites:

• Home users:
  http://www.microsoft.com/athome/security/update/bulletins/200605.mspx (http://www.microsoft.com/athome/security/update/bulletins/200605.mspx)
• IT professionals:
  http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx (http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx)

Known issues

Consider the following scenario. Users install Flash Player 7 or Flash Player 8 on a computer that previously had a version of Flash Player 6 installed on it. The MS06-020 security update was not installed on that version of Flash Player 6. Users then uninstall Flash Player 7 or Flash Player 8. Thereafter, they will be offered the MS06-020 security update every time that they visit the Windows Update or the Microsoft Update sites. If users enable Automatic Updates, they will also be offered the MS06-020 security update through that mechanism.

In these cases, the MS06-020 security update will not install, and users will receive the following error: Windows Update, Microsoft Update, and Automatic Updates will continue to offer the MS06-020 security update.

Note This problem does not occur if users install the MS06-020 security update on a system with Flash Player 6 before they install Flash Player 7 or Flash Player 8.

WORKAROUND

There are three methods to work around this problem. Any one of these workarounds will prevent Windows Update, Microsoft Update, and Automatic Updates from offering to install the MS06-020 security update. These workarounds are as follows:

• Visit the Windows Update or Microsoft Update home pages. Locate the MS06-020 security update in the list of updates that are offered. This update will appear as “Security Update for Macromedia Flash 6 (KB913433).” Click the plus sign next to the update, and then click to select the Don’t show me this update again check box.
• Locate and delete the following files on your computer:
  • Flash.ocx
  • Swflash.ocx
  Note One or both of these files may be installed on your computer. Typically, these files are installed in the %windir%\system32\Macromed folder.
• Install the latest version of Flash Player. For more information, visit the following Adobe Web site:
  http://www.adobe.com/support/flashplayer/downloads.html (http://www.adobe.com/support/flashplayer/downloads.html)

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Note This issue does not leave the user’s system in an insecure state where the Flash Player is concerned, even though the security update could not be installed. The security update cannot be installed because the Flash Player files are present, but they are not registered. Because they are not registered, the Flash Player cannot be run. As soon as one of the files are reregistered, the user will resume receiving security updates through the regular channels.