Adobe Flash Updater accessed internet....but how?

When I booted up this morning (win XP pro) I went to make a cup of tea and when I got back a program called FlashUtil9D.exe was informing me that Flash Player had an update as described in APSB07-20. What is confusing me is how it got access to the internet. I had not started a browser, there are no Adobe programs in my startup sequence (I use Start Up Control Panel by Mike Lin) and Zone Alarm is configured to 'ask' for all Adobe applications.

The only thing I can think is that Flash knew about the update last night and waited till restart to tell me, but this doesn't sound right because Start Up Monitor normally catches any prog that leaves a runonce in the registry.

Any ideas? Maybe Adobe has given me a rootkit. I wouldn't be overly surprised.

Reply to
petethebloke
Loading thread data ...

So what? It's loaded as a Browser Helper Object throught the MSHTML engine in Windows Explorer.

Why should this matter? Anyway, why have you installed such a nonsense?

Installing privileged services as documented is no rootkit.

But surely you should expect your system to be compromised and rootkitted, since you obviously invited malware.

Reply to
Sebastian G.

Hee hee. Thanks Sebastian. Is it the MS WinXP that you consider malware or the Adobe Flash player? Unfortunately, my line of work means I have to have Flash player available even though my settings on the Proxomitron prevent downloads of most of the nice little movies that people seem to value so highly.

Flash is loaded as a BHO in IE7, you're right there, but I still can't see how it updates before I start IE7 - which I don't, very often. From what you're saying, it must be started by Windows and allowed out through ZoneAlarm as "Generic Host Process win32".

Why does it matter? Because when you think you have your computer nailed down the way you like it, it's a bit annoying to find that a sneaky little program that you don't even like using has somehow bypassed all your day-to-day controls.

Reply to
petethebloke

None. I Just told you that you're obviously inviting malware by having installed ZoneAlarm.

Because Windows Explorer uses some shell control from IE.

Nonsense. Every service running under LocalSystem account can use Raw Sockets to bypass NDIS filtering drivers. Which is exactly what the Adobe License Manager Servie used in some of the expensive Adobe software packages does (according to documentation and supervision).

Your computer is anything but nailed down. Heck, you have installed ZoneAlarm!

Reply to
Sebastian G.

Thanks for the comments. I use Dreamweaver and the FNPLicensing Service has to be going or DW won't start. That probably explains it (although Adobe Updater still gets blocked by ZA before I allow it access to the internet - that must be the less surreptitious version of Adobe updater).

It's interesting what you say about ZA. I've been using it for several years and I suppose habit is bad thing. It has become less what I want it to be in the last year or two, but I complacently figured that it would give me the protection I need when combined with my network router. I did get a nasty shock at Christmas though, my son's Xbox 360 was able to reconfigure my router entirely without so much as asking if I minded. I presume that's uPNP?

Reply to
petethebloke

According to Adobe's documentation, the License Manager Service's connection can be used to circumvent obvious misconfigurations (like ZoneAlarm) when Adobe Updater can't find any connection.

I figured that many computer users are unable to recognize the overly spurious claims of ZoneAlarm as the pure irony it is. I also figured that these people never bother to verify the functionality, much lesser inform themselves about known problems and vulnerabilities.

Most likely. uPNP, due to being totally unauthenticated, is one of the most stupid ideas in computer history.

Reply to
Sebastian G.

Thanks again Sebastian. You've given me some food for thought. I'll look at replacing ZA.

Your assumption that "people" never bother to check functionality is not quite correct in my case - I use GRC's ShieldsUp scan periodically. I don't expect this to make me totally cracker-proof but I imagine most script kiddies will move on to easier pickings. You'll probably poo-poo my naive faith in such amateur methods of defence but I don't have a lot to hide so I'll probably keep gambling!

But seriously... thanks for your time.

Pete

Reply to
petethebloke

Which in turn proves my statement, since this lousy web application of the well-known charlatan Gibson is about the most wonderful creator of fantasy reports I've ever seen.

With only two missing points:

- Your system is trivially vulnerable.

- Scripts are not intelligent enough to tell differences. They simply fire out all exploits and wait for the compromised systems to report back.

- It's not about them choosing your machine, it's about you choosing their webservers. Just surfing to a website is enough to compromise a system running ZoneAlarm, and since many legitimate websites including content from untrusted third partys, it's not like you could avoid this.

Reply to
Sebastian G.

You're a bundle of fun. I must read through your old posts to find out what you recommend as a solution.

Reply to
petethebloke

Pete,

Welcome to the group, and sorry I didn't intervene sooner.

You need to know that Sebastian was apparently breastfed by his father. His mother said she only liked him as a friend. It explains his winning personality a bit.

Among his more interesting takes, Sebastian recommends using no anti- virus software at all and using Windows firewall exclusively for inbound protection. He seems to prefer the latter yet argues oddly that there isn't any value in home gateway devices that default deny all unsolicited inbound connections. I intentionally avoid the use of the word "firewall" here because it's another of Sebastian's ranting points that such devices aren't "real firewalls."

Sebastian's contributions aren't entirely worthless, but you do have to apply a liberal filter to his Tech Support Guy bully idiom to glean those things. We know far more about what Sebastian dislikes than what we know about what he actually likes. The world has been cruel to him, perhaps. We may never be sure.

At any rate, I certainly wouldn't take anything he says as the final word on anything.

Best Regards,

Reply to
Todd H.

I'm open to hearing an example. Say... oh, Broadcom based box runnin Tomato, openwrt or dd-wrt (by the way you have anything/everything to do with that project or is your name just rather similar to Sebastian Gottschall?).

And why shouldnt' they block unsolicited inbound?

Horribly broken how? Name names.

Reply to
Todd H.

Sorry, but this outrageous comment makes you a sick bastard lacking any kind of decency.

Gerald

Reply to
Gerald Vogt

Truth be known, I'm more of a guy who can recall and apply some really good Rodney Dangerfield lines when the opportunity arises. :-)

Best Regards,

Reply to
Todd H.

Thanks Todd, for your intervention. Please don't let yourself be dragged into a flame war when you were just coming to the aid of this passing traveller (even if you did kind of start the ball rolling in the insult department - but Sebastian doesn't come across as the sort of fellow who needs mollycoddling). I read a few other threads Sebastian contributed to and he strikes me as a very clever, polyglot, computer expert who is torn between being generous with his time and maintaining his contempt for the average joe. He may not have have oozed the milk of human kindness, but he took the time to reply and to justify his point of view, even if he didn't suggest or recommend alternatives. I'm indebted to him - USENET depends on people who give up a few minutes here and a few minutes there to help strangers and I'm always astonished by the generosity I find in groups like this.

Pete

Reply to
petethebloke

Excuse me... I thought you understood the meaning. I should have written "generally don't". Some implementations, mostly from free volunteers instead of the vendor, actually are reliable.

Because it's not the purpose of NAT. NAT is supposed to provide connectivity, and in fact for a 1:1 NAT anything but forwarding all inbound traffic would be technically wrong.

application layer NAT helpers, heuristics, bad IP fragment reassembly...

Reply to
Sebastian G.

*plonk*

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

Fair nuff. Your saying "they don't [provide any value]" did paint with an awfully broad brush.

So I guess then Buffalo branded devices will soon have your stamp of approval and soften you from the "home nat routers are worthless" stance?

That's like saying "real muscle cars didn't have seatbelts and modern ones shouldn't either," then calling a modern car "unsafe and shouldn't be." That's kinda bizarre to me.

I think that criticism is poorly placed. These boxes are not sold as "pristine brilliant pure NAT devices" nor should they be. They're sold in no small part to protect home networks from the constant barrage of network based scans. No one cares about the purity of the NAT definition - so long as unsolicited inbound network traffic is reliably blocked, what does it matter?

This also paints with a pretty broad brush. Has nyone published anything on say, the oft-recommended Linksys WRT54G about such issues?

Best Regards,

Reply to
Todd H.

You make a good point. As I hinted earlier, for all of the faults of the ever acerbic Sebastian, when pressed on technical points, he will give up information if asked, which is why this forum is certainly better off with him than without. However it's the default "bash, trash, but not compellingly explain" modus operandi that leaves me scratching my head many times. It's a strange thing to be on one hand generous with your time, yet be contemptuous toward those to whom you're giving it. Depends on one's altruism-to-makin-myself-feel-smart motivation ratio for participating in usenet, I suppose.

Best Regards,

Reply to
Todd H.

No. The problem with NAT is that there're multiple ways to influence client applications to trigger forwarding rules. Just take a look at Flash and Java, not mentioning VoIP applications...

Because it creates connectivity problems? Because your proclaimed reliable doesn't exist, by design? Because such a blockade is pretty superfluos?

Yes, see . Please denote that this is not a problem of the implementation, but the configuration: If the interface would allow proper low-level access to netfilter/iptables instead of the limited front-end, one could properly take the FTP NAT helper into account (or even deactivate it).

Reply to
Sebastian G.

Patch (authentication bypass holes that have befallen Linksys in the past) and disable the inanity of uPNP and we're done with that though.

Or do you have something else in mind?

Like hundreds of thousands of people, I use one of these classes of boxes. What connectivity problems?

How do you posit that inbound blocking on a nat router is any more superfluous than the Windows Firewall software that you do seem to like?

Interesting. Wish the test description weren't in German though. Is there a BID on this vuln? Or basically, I'm now curious what this test was.

Best Regards,

Reply to
Todd H.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.