Slashdot Mirror

← Back to Stories (view on slashdot.org)

Shockwave Vulnerabilities Affect More Than 450 Million Systems

Posted by timothy on from the drug-resistant-infections dept.

Trinity writes "Researchers from VUPEN have discovered critical vulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

2 of 130 comments (clear)

  1. Re:If you get an error installing Shockwave... by Anonymous Coward · · Score: 5, Informative

    Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?

    If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

    To disable:
    Look in the root of your C: drive for boot.ini.
    Start a command line. Attrib c:\boot.ini -r -a -s -h
    Edit boot.ini (In notepad)
    Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
    Save boot.ini.
    In the command window type attrib c:\boot.ini +r +a +s +h
    Reboot. DEP is now disabled.
    Install the Shockwave Player update.

    Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

  2. Here are the shockwave stats - could be a problem by Anonymous Coward · · Score: 5, Informative

    Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):

    Not installed => 67.54%
    11,0,0,0 => 2.86%
    10,2,0,0 => 2.84%
    10,1,0,0 => 2.59%
    11,0,0,465 => 2.41%
    11,5,0,0 => 2.05%
    11,5,1,601 => 1.90%
    8,5,1,0 => 1.75%
    10,1,4,0 => 1.73%
    11,0,0,429 => 1.58%
    11,0,3,472 => 1.56%
    10,1,1,0 => 1.53%
    11,5,0,596 => 1.46%
    11,5,0,600 => 1.38%
    11,0,3,471 => 1.35%
    11,5,0,595 => 1.21%
    11,0,0,458 => 0.93%
    10,3,0,0 => 0.78%
    11,0,3,470 => 0.66%
    8,0,0,0 => 0.43%
    10,1,3,0 => 0.37%
    8,5,0,0 => 0.32%
    11,0,3,0 => 0.23%
    10,0,0,0 => 0.16%
    10,0,1,0 => 0.11%
    7,0,0,0 => 0.10%
    11,5,1,0 => 0.08%
    10,4,0,0 => 0.04%
    6,0,0,0 => 0.03%

    What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.

    I will publish a more in-depth report later today here: http://www.statowl.com/ in the plugin section. I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....