January 23, 2010

Last week, Adobe Systems Inc. shipped critical security updates for its PDF Reader software. Now comes an update that fixes at least two critical flaws in Adobe’s Shockwave Player, a commonly installed multimedia player.

Not sure whether you even have Shockwave Player on your system? You’re not alone. Because of a long history of rebranding between Macromedia and Adobe, the various naming conventions used for this software are extremely confusing. Here’s Adobe’s effort to draw clearer distinctions between the Flash and Shockwave multimedia players:

Both Flash and Shockwave are multimedia players. They can give you extended and predictable abilities across a range of browser brands, versions, and platforms.(Sometimes you might hear someone refer to “Shockwave Flash”, but these are actually two different multimedia players.)

Flash has a small player which gives it a wider distribution. Flash is included in every Netscape download. Flash also has a very fast startup time. The way the Flash format interleaves media and instructions also helps it start quickly.

Shockwave has a deeper player. It offers multiuser chat, XML parsing, HTML manipulation, an extensive and fast scripting language, distant file retrieval, programmatic control of vector shapes, and bitmap manipulation.

Mozilla is one of those that refers to the regular Flash Player plugin as “Shockwave Flash.” Firefox users can find this under “Tools,” “Add-ons,” and then under the “Plugins” tab. By the way, the latest, most secure version of Flash is v. 10.0.42.34, so if your version of Flash is lower than that, it’s time to update your Flash Player as well. Adobe shipped an update in December that fixed at least seven critical vulnerabilities in Flash. Instructions on how to update the Flash Player to the latest version are available here.

Here’s a way to test whether you even have Shockwave Player on your system (I don’t, and since I apparently haven’t missed it, I’m adding it to the list of programs you can probably do without unless you have a specific need for it). Visit this page. If it says you need to install a missing plugin, then you don’t have Shockwave Player installed, and you probably don’t need it.

If that link above shows that you do have Shockwave Player installed, it’s time to update it. The flaws are in Shockwave Player version 11.5.2.602 and earlier. Adobe recommends that Shockwave users actually uninstall the program (Windows users can do this via the Add/Remove Programs menu), and then reboot before attempting to install the latest, patched version (v. 11.5.6.606), available here.

Updates are available for both Windows and Mac systems. Adobe’s advice about removing the old version of Shockwave and restarting before installing the update would appear to apply to Mac users as well. Here’s the full advisory from Adobe.


27 thoughts on “Adobe Ships Critical Shockwave Update

  1. AlphaMack

    Restarting a computer for a browser plugin is asking much here.

    Between Adobe’s stupid DLM trying to get in the way of you grabbing the latest copy of Reader, the need to grab TWO Flash plugin installers coupled with no easy updating mechanism and no way to manage LSOs (BetterPrivacy does a great job with this in FF), and the AIR abomination (really, who uses that?), Adobe had better figure out how to get with the program here.

  2. Chester Wisniewski - Sophos

    Hi Brian,

    I posted some very similar advice on Shockwave in my blog this week as well (http://www.sophos.com/blogs/chetw/g/2010/01/21/operation-aurora-patch-evidence-china-connection/). I have not seen many workstations that actually need Shockwave, even if they have it installed. I advise people to remove rather than patch it, as it reduces the attack surface. It is likely very few if any computers in a professional environment actually need Shockwave.

    Chester Wisniewski
    Senior Security Advisor
    Sophos Inc.

  3. Paul

    Shockwave Player doesn’t even work in Safari while running in 64-bit mode. Since that’s the default mode under OS X 10.6 (Snow Leopard), users are ‘automatically’ protected from Shockwave content πŸ™‚

    Thanks for the ‘don’t use it – lose it’ pointer Brian, I’ve uninstalled a number of things from my Macs too!

  4. Tommy

    Two or three months ago found out about the info stored in flash player as Local Shared Objects (LSO) bit of a surprise to see cookies like them in my flash player. If you go to the Url below you can delete them, but best not to untick any of the boxs in any tabs or you can have problems on You tube etc.

    /www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

  5. Rick

    We don’t use Adobe products other than browser plugins but we hear and read a lot of complaints about Adobe. It’s more than the flash programme they need to get with.

  6. Dan

    Brian, Love your reporting. You indicate you don’t use Flash and recommend not to have it on your machine but…

    my Noscript plug-in for Firefox is showing that your blog has flash on it (from Clearspring). Live what you preach… πŸ˜‰

    (Just a friendly joke…)

    1. BrianKrebs Post author

      Hi Dan. Thanks for the nice note, but where do I say I don’t use Flash? It’s pretty hard to use much of the Web without it. Yes, Noscript blocks it by default, but you can still enable Flash with noscript with one click.

      1. Dan

        My bad Brian. I was remembering your list of software you have ditched (Adobe Reader, Java, Quicktime, and recently Real Player) incorrectly and thinking Flash was part of that list. Good luck on the new venture. I recommend your blog to anyone who will listen. Keep the pressure up on the bad guys.

  7. Rosie

    Turns out I had Shockwave installed so I used CCleaner to uninstall it — with the automatic option. Restarted the computer and a window came up informing me a new version of Shockwave was available. I thought that was strange. I declined.

    Went back to the test page and received a couple of error messages of download problem and incorrectly installed Shockwave program.

    Checked in the add/remove programs and it is no longer listed. Then checked again in Firefox 3.6 plug-ins and it was still there. Disabled it (no uninstall option), and went to the test page again.

    This time there was a notice on the page that the plug-in was disabled.

    Guess there is something else that needs to be uninstalled, but I don’t know what or how to do it.

    1. Sarah

      Rosie, in response to your comment “Guess there is something else that needs to be uninstalled, but I don’t know what or how to do it.”–If you are not already using Secunia’s free PSI (Personal Software Inspector), I encourage you to download it from:

      This is an excellent vulnerability scanner, which will help you keep your software patched and otherwise up-to-date. I also recommend using the PSI in the “Advanced” mode. Don’t be shy, because it says “Advanced.” It is really very easy to use, and only in the “Advanced” mode will you be able to see the installation paths to insecure exe, ocx, and dll files, which the PSI will find on your computer. If you have a residue of insecure Adobe dross on your machine, the PSI will find it, tell you the installation path, and may even recommend a solution.

      I also encourage you to participate in Secunia’s lively community forum. You can ask your Shockwave questions there, and a courteous and knowledgeable volunteer will most likely answer promptly. Secunia officials also participate in the forum in addition to answering individual e-mails about insecure software the PSI has identified.

      Address of Secunia’s forum:

      Before anyone can help you, you need to supply more information such as what kind of computer system you are using. Using the PSI to locate the insecurity will equip you to ask specific questions about what to do next, if you are unsure.

      Secunia’s Forum is searchable. By entering keywords and perusing Shockwave threads, you may be able to answer your own questions, too.

      Hope this helps. Good luck.

      Sarah

      1. Rosie

        Thanks, Sarah.

        I do have Secunia PSI installed (long time non-geek Krebs reader) and it says I am 100% patched and does not list Shockwave as one of patched programs. It does show Adobe Flash 10.x fully patched which I need and use.

        I have looked at the forums before. Just never thought of them this time, as for some reason did not equate uninstalling problems with PSI. Will go over there and check around.

    2. Tony Smit

      I am late to this conversation posting this, but on my Windows XP installation on a consumer Compaq PC there was not an entry in Add/Remove programs or a separate uninstaller for Shockwave, probably because the Help provided by Compaq required the Shockwave player.

      Fortunately, there is an uninstaller for Shockwave on the Adobe website, and it is a bear to find it using their “search”.

      http://www.adobe.com/shockwave/download/alternates/

      Scroll down the page to “Shockwave Player” and look for the uninstaller. For “Windows 98/2000/XP” it is this link:

      http://fpdownload.macromedia.com/get/shockwave/uninstall/win/sw_uninstaller.exe

  8. Frank

    I think Adobe’s problems go beyond Flash. They should put security first and features second for all their products.

  9. David Thompson

    Brian

    Would you consider writing an article recapping all the various patches, updates and exploits that were covered in the last week. I would link to it.

    Thanks

  10. lembark

    You forgot to mention that an update is also available for linux. None of the security bulletins I can find list the O/S, however, so I don’t know if Flash is an issue here or not.

  11. Wildermann

    I notice you’ve decided not to use Java, but how then do you access sites such as your bank, newspapers, forums, flash videos and god knows what? I use NoScript for surfing, but a computer with no Java at all? How does that work?

    Also glad you’re continuing your work after leaving the WP.

      1. jen

        I just removed Java. Now I can’t use Secunia which requires Java and not Javascript. Is there a workaround? Do you still use Secunia?

        1. BrianKrebs Post author

          You can’t use Secunia’s PSI without having Java. I believe even their online version of the scanner requires you to have Java installed.

          I do not use Secunia for this reason. There’s something ironic about having to install Java just to be able to scan for software that needs patching. Granted, Secunia will let me know if my Java is out of date, but I pay pretty close attention to this subject, and so derive far less utility out of PSI. Your mileage, however, may differ.

          1. Sarah

            Brian and Jen,

            Secunia’s Online Software Inspector (OSI) requires installation of the Java Runtime Environment. I never use it, primarily because it reports on a very limited number of programs–about 70. My post above, responding to Rosie’s dilemma, discussed only Secunia’s PSI.

            The functionality of the Personal Software Inspector (PSI) does not depend on the installation of JRE. The PSI works just fine without Java, and it can identify vulnerable installations of hundreds of programs and browser extensions in addition to missing Microsoft patches.

            I do not know if the CSI, or corporate version of the Software Inspector, requires JRE or not.

            I apologize to you and your readers for not including this information in my previous post.

            The PSI does require the installation of the Active X flavor of Adobe’s Flash Player. The vulnerability scanner works perfectly without Flash; however, you cannot view the pie chart and bar graph on the top level page of the user interface without Flash for IE. Also, I should have mentioned the system requirements for the PSI are Win XP SP2 or higher, Vista, or Win 7.

            By the way, the Jan. 24th handler’s diary at SANS (Internet Storm Center) was “Outdated Client Applications.” The handler requested input from readers regarding how updating of client applications is managed, both at home and in the corporate environment. Although Secunia’s Software Inspectors received the most mention, other strategies of interest to both security experts and network gurus appear in the comments.

            Sarah

          2. Rosie

            Brian, I thought you were the one that encouraged Secunia PSI. Sorry to evoke your name in my earlier message. πŸ™‚ Limited user account regular patching (auto, if possible), up-to-date anti-virus, FoxFire, no-script, regular scans for malware, and most of all, conscientious browsing … Isn’t that what you preach for the most part?

            1. BrianKrebs Post author

              hi rosie. i’m not preaching against Secunia PSI. I happen to think it’s great for your average user because it really does help people stay on top of things. I just said I don’t use Java.

              But at any rate, as someone else in this discussion already pointed out, you don’t need Java installed to use Secunia’s installed program, just when using Web scan. So even if you don’t have Java installed, you can still run Secunia’s installed PSI.

              Sorry for the confusion. Hope that clears things up.

  12. Daniel Veditz

    Brian,

    Mozilla does not call it “Shockwave Flash”, it just displays the name field provided by the plugin itself. Adobe could theoretically change that any release they want to, but in practice may not be able to. Any web code that references navigator.plugins[“Shockwave Flash”] would break if that were changed.

    1. BrianKrebs Post author

      Hi Dan. Thanks for the comment. So are you saying there’s nothing Mozilla can do to reduce that confusion? What about in the new FF3.6 feature, Plugin Scanner, which scans for insecure plugins? Could not Mozilla reduce some confusion there?

      1. Wladimir Palant

        Brian, I am looking at the file c:\Windows\System32\Macromed\Flash\NPSWF32.dll on my system:

        CompanyName : Adobe Systems, Inc.
        FileDescription : Shockwave Flash 10.0 r42
        ProductName : Shockwave Flash
        FileVersion : 10,0,42,34
        InternalName : Adobe Flash Player 10.0

        Oops… Yes, it is Adobe itself that is confused how to call its plugin. Mozilla simply reports the name as it gets it. Now Mozilla could probably do a hack specifically for Flash: s/Shockwave Flash/Flash Player/. But I don’t think Mozilla wants to get into the business of telling vendors what the proper name of their product is.

  13. BrianKrebs Post author

    Sarah — Thanks for the clarification. Sounds like I had the PSI and online scanner backwards in my reply to Jen. It’s been a while since I’ve used either the installable or online scanner.

  14. Enon

    Looking over this post and the comments (and noting the frequent mention of ActiveX), I’m wondering how much of this impacts non-Windows users.

    Not that I never use Windows – I keep a VM available for certain tasks and I deal with hundreds of Windows machines at work (where I’m paid to spin my wheels), but outside of work I prefer to avoid the monstrosity and tend to favor the various BSDs (including OS X, a BSD/Mach hybrid).

    I do practice safe computing (keep the system up to date, use a restricted account for day to day work, don’t enable the root account, don’t download cracked software), but I don’t live in fear of my machine (don’t run that! don’t click on these! uninstall this software!).

    Java: I have a number of interesting and useful Java programs, and I sometimes program in the language. Am I really at risk? I think not.

    (And for the people who repeat the cliche that the Mac market share is too small for OS X to be targeted: it is targeted, there are trojans and and Mac botnets. What doesn’t exist are drive-by exploits, viruses and worms. The BSDs just don’t expose the same attack surfaces that Windows does.)

Comments are closed.