A few weeks ago I was running a periodic scan of my XP Pro system at work using The Secunia Software Inspector.
It found that I had an out-of-date version of Flash. Specifically, version 126.96.36.199.
It helpfully pointed out the file was installed in C:\Windows\SYSTEM32\Macromed\Flash\ folder.
Since Adobe doesn't provide an "un-installer" for Flash, and new ones are just installed along-side the current version, I knew I would just have to pop in there and manually delete the file.
Only when I went to do so, it refused to let me, despite my Administrator level permissions.
The Hunt Begins!
So I first closed out all my browsers and tried again, thinking it was a "locked file." Nope.
Then I ran Process Explorer and did a search for the file, to see who was using it. No one was found.
So I rebooted and tried again. Nada.
Then I tried to delete it in Safe mode. Not budging.
In frustration I booted with a Linux Live CD and tried one more time. It was stuck!
Getting frustrated now, I rebooted back into normal mode and re-approached the situation.
I looked at the file properties and (doh!) saw that it was set to "Read only." Should have known.
So I removed the read-only permission setting and tried again. Nope!
Mysteriously, the read-only property setting had come right back again.
So I checked the security permissions for the file control and all were checked (allowed) showing that under my Administrator level profile, I should be able to remove the read-only file setting property. But it staunchly refused all my Administrator attempts of property setting changes.
So I hit the Web and reviewed my understanding of displaying and changing file attributes: Attrib - Edit file attributes. Unfortunately nothing seemed amiss with this command-line level inspection.
However that article pointed me to the XP command "Cacls": Cacls - Modify Access Control List
The "CACLS" stands for (best I can tell) the Control Access Control List program.
I opened a command-line session and browsed into that folder and ran the CACLS command against the Flash9c.ocx file and got the following results (slightly cleaned up):
C:\Windows\System32\Macromed\Flash\Flash9c.ocx Everyone:(DENY)(special access:)
NT AUTHORITY\ANONYMOUS LOGON:(DENY)(special access:)
Any guesses what immediately stuck me in the output?
How about those "(DENY)(special access:)" entries for the FILE_WRITE_ATTRIBUTES.
So I went back and did a bit more looking and found this interesting Microsoft technical bulletin: How to set, view, change, or remove special permissions for files and folders in Windows XP.
Once I reviewed that article I knew what I had to do.
Release the Hounds!
I opened Windows Explorer and browsed back to the file.
I right-clicked the file and selected "Properties."
I clicked the "Security" tab. And now picked up the "Special Permissions" line in the bottom section I had missed before, so used to looking at just the expected "Full Control, Modify, Read & execute, Read, and Write" options I usually focus on.
On the Security tab, I clicked the "Advanced" button to drop into the "Advanced Security Settings" for the file.
One by one, I selected each line that showed "Deny" as the type and clicked the "Edit" button.
In the next pop-up window, I unchecked the "deny" tickbox as set and saved the changes.
Then I applied the changes through.
Then I right-clicked the file and selected "Properties" again.
This time I removed the "Read-only" setting and applied the change.
Finally I deleted the file without any issues.
Serious Questions Remain
I discussed this finding with one of my network analysts who also hadn't ever run into any files set with a "special permissions" file setting.
We both chalked it up as an interesting exercise and I made a mental note to maybe post about it.
Only how useful could this information really be?
So today when I ran Secunia Software Advisor on my home Vista Home Premium system it spotted that crazy Flash9c.ocx file. So I went and downloaded the new version from Adobe and then went to delete the file.
Yep. Same problem again!
The Flash9c.ocx file had special permissions set on it as well to deny rights to change the file attributes. Having gone though this before on my XP Pro system I didn't hesitate. I knew what to do and the file was deleted almost as an afterthought.
So now I am left with some questions.
As I understand it, these ACL properties only hold for NTFS partitioned drives. So users who don't have their Windows drives NTFS formatted shouldn't encounter this.
- But why would Macromedia release a file set with such a specialized property?
- If they didn't, how did this file get set that way on multiple and different OS versions? Not something I did, that's for sure!
- If Adobe can do this, could/do malware writers attempt to try this trick as well to prevent removal of the file(s) by anti-malware applications and end-users?
- How many others have run into this issue with this or unrelated files and just given up and left the darn things present; or worse...figured something was corrupted on their file system and wiped/reloaded everything from scratch?
Very interesting indeed.