Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shockwave Vulnerabilities Affect More Than 450 Million Systems

Posted by timothy on from the drug-resistant-infections dept.

Trinity writes "Researchers from VUPEN have discovered critical vulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

19 of 130 comments (clear)

  1. Re:Flashblock by al0ha · · Score: 4, Informative

    It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.

    The only reason to use Shockwave in the past was that it was scriptable. Flash has been scriptable since version 5.

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
  2. no MSI installer yet by Rob+Bos · · Score: 2, Informative

    As of posting, there's no MSI installer for the new version yet, and the .exe installer doesn't seem to support silent installs.

    http://www.appdeploy.com/packages/detail.asp?id=1438

    1. Re:no MSI installer yet by clone53421 · · Score: 4, Informative

      So? This isn't Flash. You don't need it to visit 95% of the web. You hardly ever need it – I didn't even have it installed.

      Check the add-ons; if you don't have "Shockwave for Director", it isn't even installed. "Shockwave Flash" is the flash player (not Shockwave).

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  3. Re:Remind a noob... by Reason58 · · Score: 4, Informative

    What's the difference between Shockwave and Flash?

    Or are they the same thing? If so, why two names for it?

    You're welcome.

  4. If you get an error installing Shockwave... by ThreeGigs · · Score: 3, Informative

    If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

    To disable:
    Look in the root of your C: drive for boot.ini.
    Start a command line. Attrib c:\boot.ini -r -a -s -h
    Edit boot.ini (In notepad)
    Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
    Save boot.ini.
    In the command window type attrib c:\boot.ini +r +a +s +h
    Reboot. DEP is now disabled.
    Install the Shockwave Player update.

    Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

    Alternatively you can save a copy of the edited boot.ini, set the attribs to +r +a +s +h, and rename as necessary in case (read: when) you need to disable DEP again in the future.

    I figure a lot of users are going to have this problem (again), as Adobe still hasn't fixed this bug.

    1. Re:If you get an error installing Shockwave... by WD · · Score: 3, Informative

      If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.

    2. Re:If you get an error installing Shockwave... by Anonymous Coward · · Score: 5, Informative

      Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?

      If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

      To disable:
      Look in the root of your C: drive for boot.ini.
      Start a command line. Attrib c:\boot.ini -r -a -s -h
      Edit boot.ini (In notepad)
      Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
      Save boot.ini.
      In the command window type attrib c:\boot.ini +r +a +s +h
      Reboot. DEP is now disabled.
      Install the Shockwave Player update.

      Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

    3. Re:If you get an error installing Shockwave... by Anonymous Coward · · Score: 4, Informative

      And I want to run an application that executes in its data area why?

      It would be different if the installer intentionally used some sort of self modifying code system.

      But the only possible explanation for why a Shockwave updater fails to run with DEP enabled, is that at least one of its threads is doing some sort of buffer overrun and running off into the woods. It just usually doesn't break things bad enough to make the installation fail, unless DEP actually stops the thread.

      Not exactly the type of program I want to be running on my computer.

    4. Re:If you get an error installing Shockwave... by ThreeGigs · · Score: 2, Informative

      Been there done that, and DEP status doesn't change unless a reboot happens. And if you've got DEP set to optin in boot.ini, it'll always re-enable itself. Yes, there are other ways to change it, but I always preferred to go directly to the root.

  5. Re:Government by John+Hasler · · Score: 4, Informative

    > Is he worried the gov will abuse this hole?

    No. He's worried that that the government is going to make their data inaccessible to anyone who doesn't install a useless piece if junk that would make their computer insecure.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  6. Re:Flashblock by Khyber · · Score: 3, Informative

    Flash didn't have Shockwave's 3D acceleration until version 10 of Flash. That is why many devs still used Shockwave.

    Surprised? Pay more attention to the featureset next time, yea?

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  7. Even Adobe can't explain Shockwave properly. by Animats · · Score: 4, Informative

    Even Adobe can't explain Shockwave properly.

    Shockwave is a real 3D system usable as a decent game engine. At one time, it even had the Havok physics engine, but Adobe didn't keep up the payments and had to take that out. Try BMX Street Rider, which is a reasonably decent free-play game in a modest sized city. It's way ahead of the proposed hacks for doing 3D with Javascript.

    What killed Shockwave for trivial applications is "LOADING..." problems. Flash can start before all the content has been loaded, because Flash has two interleaved streams, a timeline and assets. As soon as you have enough assets for the stuff needed by the timeline so far, Flash can go. So you can write Flash that starts fast and loads assets in the background.

    1. Re:Even Adobe can't explain Shockwave properly. by azav · · Score: 2, Informative

      NO. Shockwave is Director content compressed for playback over the internet. Director supports xtras, much like Potoshop supports plugins. One of those plugins is a 3D environment, Flash is another. Director is a timeline based bitmap, text, video and vector animation tool with an object oriented scripting language in verbose, dot and javascript syntaxes. Director content can be played back in a standalone disk based app or through a browser that has the Shockwave plugin installed.

      Director content can also stream in as needed, with a minimum of the content loading, so your comment about "LOADING..." problems is untrue.

      --
      - Zav - Imagine a Beowulf cluster of insensitive clods...
  8. Re:Flashblock by colfer · · Score: 4, Informative

    No, it's two different plugins.

    1. Shockwave Flash 10.0 r32
    2. Shockwave for Director 11.5

    You can have 1 without 2, latest versions.
    Looks some crazed half-forgotten branding initiative.

    Interestingly, the player test page http://www.adobe.com/shockwave/welcome/ tries to install an old version if you have only Flash:

    Macromedia Shockwave Player 10.1

    That's the old branding and an old version. But anyway it fails to install. Maybe Adobe is confused by my nightly version of Firefox.

  9. Re:Just in case... by clone53421 · · Score: 4, Informative

    I did too – then I realized that I didn't have Shockwave in the first place. I had Flash, which is different. Now I'm considering uninstalling Shockwave again, because I didn't need it before and I don't expect to need it in the future.

    Are you sure you had it to begin with?

    "Shockwave Flash" is Flash (plays .swf files). "Shockwave for Director" is Shockwave (uses .dcr files).

    Yes, it's confusing. You can thank Adobe for that.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  10. Re:Flashblock by deuterium · · Score: 4, Informative

    Being a Director developer, there are some things Director can do that Flash can't:

    Control embedded PDF files
    Manipulate bitmaps
    Create 3D scenes with physics
    Make network calls through proxy servers
    Access/Modify system resources
    Wider range of media support

    Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.

  11. Re:Are their FOSS alternatives to Flash and Shockw by supersloshy · · Score: 3, Informative

    Google Gnash and Swfdec; they're coming along nicely, but aren't 100% replacements as of yet.

    --
    "Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen
  12. Re:Are their FOSS alternatives to Flash and Shockw by slimjim8094 · · Score: 2, Informative

    1. Yes/no.
    2. See above. Nobody cares about Shockwave, though.
    3. Yes.

    It's called Gnash. See http://www.gnu.org/software/gnash/
    There's also a few others, such as http://swfdec.freedesktop.org/wiki/ . Gnash is probably better.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  13. Here are the shockwave stats - could be a problem by Anonymous Coward · · Score: 5, Informative

    Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):

    Not installed => 67.54%
    11,0,0,0 => 2.86%
    10,2,0,0 => 2.84%
    10,1,0,0 => 2.59%
    11,0,0,465 => 2.41%
    11,5,0,0 => 2.05%
    11,5,1,601 => 1.90%
    8,5,1,0 => 1.75%
    10,1,4,0 => 1.73%
    11,0,0,429 => 1.58%
    11,0,3,472 => 1.56%
    10,1,1,0 => 1.53%
    11,5,0,596 => 1.46%
    11,5,0,600 => 1.38%
    11,0,3,471 => 1.35%
    11,5,0,595 => 1.21%
    11,0,0,458 => 0.93%
    10,3,0,0 => 0.78%
    11,0,3,470 => 0.66%
    8,0,0,0 => 0.43%
    10,1,3,0 => 0.37%
    8,5,0,0 => 0.32%
    11,0,3,0 => 0.23%
    10,0,0,0 => 0.16%
    10,0,1,0 => 0.11%
    7,0,0,0 => 0.10%
    11,5,1,0 => 0.08%
    10,4,0,0 => 0.04%
    6,0,0,0 => 0.03%

    What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.

    I will publish a more in-depth report later today here: http://www.statowl.com/ in the plugin section. I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....