Shockwave Vulnerabilities Affect More Than 450 Million Systems

Flashblock by sakdoctor · 2009-11-05 07:18 · Score: 3, Insightful

Not just a good idea. It's the law.

Re:Flashblock by al0ha · 2009-11-05 07:22 · Score: 4, Informative

It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.

The only reason to use Shockwave in the past was that it was scriptable. Flash has been scriptable since version 5.

--
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Re:Flashblock by Tumbleweed · 2009-11-05 07:46 · Score: 1

It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.
In my Firefox, it's called "Shockwave Flash" - one plugin that does both.
Re:Flashblock by Khyber · 2009-11-05 08:05 · Score: 3, Informative

Flash didn't have Shockwave's 3D acceleration until version 10 of Flash. That is why many devs still used Shockwave.
Surprised? Pay more attention to the featureset next time, yea?

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Re:Flashblock by mcgrew · 2009-11-05 08:05 · Score: 4, Interesting

I'm surprised that anybody's surprised that a new Adobe exploit has surfaced, They seem to have surpassed Microsoft in their zeal to get your PC infected; Microsoft seems to hava actually been getting better in the last couple of years. Or Microsoft seems to at least be trying. Adobe doesn't seem to care.

--
Free Martian Whores!
Re:Flashblock by colfer · 2009-11-05 08:08 · Score: 4, Informative

No, it's two different plugins.
1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5
You can have 1 without 2, latest versions.
Looks some crazed half-forgotten branding initiative.
Interestingly, the player test page http://www.adobe.com/shockwave/welcome/ tries to install an old version if you have only Flash:
Macromedia Shockwave Player 10.1
That's the old branding and an old version. But anyway it fails to install. Maybe Adobe is confused by my nightly version of Firefox.
Re:Flashblock by Tubal-Cain · 2009-11-05 08:12 · Score: 5, Insightful

They seem to have surpassed Microsoft in their zeal to get your PC infected...
And considering that they have more marketshare than Microsoft, they can actually pull it off.
Re:Flashblock by clone53421 · 2009-11-05 08:19 · Score: 1

No, it's two different plugins.
1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5
Yes. This. Also, that's confusing as hell.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Re:Flashblock by deuterium · 2009-11-05 08:25 · Score: 4, Informative

Being a Director developer, there are some things Director can do that Flash can't:
Control embedded PDF files
Manipulate bitmaps
Create 3D scenes with physics
Make network calls through proxy servers
Access/Modify system resources
Wider range of media support
Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.
Re:Flashblock by ais523 · 2009-11-05 08:39 · Score: 4, Insightful

Being a Director developer, there are some things Director can do that Flash can't:
Make network calls through proxy servers
Access/Modify system resources
Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.
This may be nice for a developer, but for a user, this is really scary.

--
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Re:Flashblock by TheDarkener · 2009-11-05 09:36 · Score: 1

Sounds like a personal problem to me...
Oh, SHOCK block.

--
It is pitch black. You are likely to be eaten by a grue.
Re:Flashblock by EXrider · 2009-11-05 10:11 · Score: 1

Question... why to this day does Adobe STILL not have some kind of unified server update solution for business networks? Sure, as an admin, I can roll my own scripts together to get it done, but with the frequency required lately, it's getting really old. It drives me insane having to download and install the same CS updates on multiple machines. Acrobat Reader and Flash updates on multiple browsers and platforms is even worse.

--
grep -iw skynet /etc/services
Re:Flashblock by Frosty+Piss · 2009-11-05 10:22 · Score: 1

Adobe doesn't seem to care.
It's not the only thing they don't care about.

When will they come out with Photoshop / Image Raedy for Linux? No market? Bullshit.

Basically, a wink wink nod nod with the money men @ Microsoft and Apple.

--
If you want news from today, you have to come back tomorrow.
Re:Flashblock by CSMatt · 2009-11-05 10:31 · Score: 2, Insightful

Flashblock puts a placeholder in front of Flash, Shockwave, Authorware, Java, and Sliverlight.
Re:Flashblock by ozmanjusri · 2009-11-05 15:29 · Score: 1

They seem to have surpassed Microsoft in their zeal to get your PC infected;
Is this any better/worse than the Remote Code Execution vulnerability in Silverlight last month?
And a general question to Slashdot. Is the current proliferation and duplication of interactive web platforms (Flash, Silverlight, HTML5 etc) with the resultant increase in surface area for vulnerabilities better or worse than a monoculture?
Would we all be better off just pushing for a single web platform?

--
"I've got more toys than Teruhisa Kitahara."
Re:Flashblock by toadlife · 2009-11-05 17:22 · Score: 1

They supply their software as .msi packages which can be deployed via active directory GPOs. That's how I deploy, flash, shockwave and reader. I'll be deploying the new shockwave tomorrow. They make you sign up for a "license" in order to get access to the msi packages, which is extremely annoying.

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Re:Flashblock by weicco · 2009-11-05 17:33 · Score: 1

Access/Modify system resources
Just curious... Do you happen to know if this is possible in Windows Vista and IE with UAC turned on? Shouldn't the lower privileges of the browser and UAC stop any add-on from accessing, or at least modifying, system resources?
This is why I scratched my head when I read from the summary even Firefox. Shouldn't it say, in this particular case, even IE?

--
You don't know what you don't know.
Re:Flashblock by uninformedLuddite · 2009-11-05 22:01 · Score: 1

Are you using one of those stone tablet PCs?

--
The new right fascists are bilingual. They speak English and Bullshit.
Re:Flashblock by V!NCENT · 2009-11-05 22:17 · Score: 1

The official response from Adobe at the time was that there was no screen color adjustment software (or whatever it's called, you know what I mean) for Linux at that time. Maybe if someone informs them about these software packages on Linux they might reconsidder a Photoshop port and see what their next complaints are so the 'community' could adress these problems...

--
Here be signatures
Re:Flashblock by Spazztastic · 2009-11-06 00:04 · Score: 1

They supply their software as .msi packages which can be deployed via active directory GPOs. That's how I deploy, flash, shockwave and reader. I'll be deploying the new shockwave tomorrow. They make you sign up for a "license" in order to get access to the msi packages, which is extremely annoying.
We have a problem with Flash, Shockwave, and Java. Somehow when it's being pulled down and installed via GPO the installation breaks and I have to uninstall it, remove the registry key, and run the MSI cleanup, then gpupdate and HOPE it works. The problem? We're a school district with 2500+ student desktops and when they do testing that relies on Flash/Shockwave/Java it's a problem when the installation is broken and we have to manually fix and verify every system.

--
Posts not to be taken literally. Almost everything is sarcasm.
Re:Flashblock by David_W · 2009-11-06 01:49 · Score: 1

Flashblock puts a placeholder in front of Flash, Shockwave, Authorware, Java, and Sliverlight.
Are you using a different Flashblock than this one? According to the page there it only blocks the first three. I wouldn't mind to have something that could do it for the other two as well, but Flashblock doesn't seem to be it.
Re:Flashblock by EXrider · 2009-11-06 02:31 · Score: 1

Yeah, I'm aware of the MSI packages available. Unfortunately MSIs deployed via GPO do not help me with the 15 Macs running various versions of CS, Flash and Acrobat.

--
grep -iw skynet /etc/services
Re:Flashblock by CSMatt · 2009-11-06 04:16 · Score: 1

Well I got that from Wikipeida since I don't use Flashblock anymore. Their source is the CVS logs.
Re:Flashblock by toadlife · 2009-11-06 05:12 · Score: 1

I've never had problems with the flash and shockwave msi pakcages, but I have experienced problems with java not uninstalling properly. We ended up witha situation where the old java would not install and the new java was partially installed. My solution was to write a start up script (assigned by GPO). It would check for the existence of a file that was specific to the old version of java and if found would call another script to clean up the mess.

REM - Fix broken java 1.5 issue if exist "C:\Program Files\Java\jre1.5.0_13\bin" call "\\domain.com\machine_conf\scripts\nuke_java_6.cmd"

Here is the script that does the nuking of the old version...

copy /y \\domain.com\machine_conf\tools\MsiZap.exe %systemroot%\system32 msizap TW! \\domain.com\dfs\softdeploy\sun_jre_1.5_13\jre1.5.0_13.msi reg IMPORT \\domain.com\machine_conf\registry\nuke_java_6.reg taskkill /f /im "jqs.exe" rd /s /q "%programfiles%\Java\jre1.5.0_13\bin" del /f /q "%programfiles%\Java\jre1.5.0_13\*" rd /s /q "%programfiles%\Java\jre6" msiexec /x "\\domain.com\dfs\softdeploy\sun_jre_1.6.0_13\jre1.6.0_13.msi" /qn echo "%date% %time%","%computername%">>"\\domain.com\machine_conf\broken_java5.txt" gpupdate /force /boot

here is the reg entry that is imported by the previous script. It removes the new java version from grou policy so that the machine will reinstall it on next boot. You would have to adjust it to fix your environment.

Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\{1fcc93f6-13ad-4002-99fa-d072390e322b}]

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Re:Flashblock by toadlife · 2009-11-06 05:48 · Score: 1

Job security for you!? :)

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.

But there's already a patch by pdclarry · 2009-11-05 07:21 · Score: 2, Insightful

As there are over a billion computers with Windows vulnerabilities and countless other "at risk" applications that get patched regularly this doesn't sound like a situation all that out of the ordinary. And as with Windows some users will update and some will remain at risk.

Does this really need to be discussed? by BattleApple · 2009-11-05 07:26 · Score: 1

You could pretty much take any two security issue threads on here, swap the comments section, and never know the difference.

Software has bugs.
Some of them are security issues.
They get discovered.
They (usually) get fixed.

What's there to talk about?

Re:Does this really need to be discussed? by ColdWetDog · 2009-11-05 07:33 · Score: 2, Funny

What's there to talk about?
Sex? Cars? Come on, I'm sure we can think of something.

--
Faster! Faster! Faster would be better!
Re:Does this really need to be discussed? by Yvan256 · 2009-11-05 08:22 · Score: 1

Sex in cars? Sexy cars? Car-on-car sex?
The possibilities are a bit limited if you only give us two options.

no MSI installer yet by Rob+Bos · 2009-11-05 07:27 · Score: 2, Informative

As of posting, there's no MSI installer for the new version yet, and the .exe installer doesn't seem to support silent installs.

http://www.appdeploy.com/packages/detail.asp?id=1438

Re:no MSI installer yet by gad_zuki! · 2009-11-05 08:01 · Score: 1

Big deal. Wrap it in an AutoHotKey script, make it invis, whatever you want. Admins who wait for MSIs are pretty lazy or dont know scripting.
Re:no MSI installer yet by idontgno · 2009-11-05 08:07 · Score: 1

Admins who wait for MSIs are in a systems management regime that requires MSI installs.

FTFY.

--
Welcome to the Panopticon. Used to be a prison, now it's your home.
Re:no MSI installer yet by clone53421 · 2009-11-05 08:25 · Score: 4, Informative

So? This isn't Flash. You don't need it to visit 95% of the web. You hardly ever need it – I didn't even have it installed.
Check the add-ons; if you don't have "Shockwave for Director", it isn't even installed. "Shockwave Flash" is the flash player (not Shockwave).

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.

Re:Let's Clear the Confusion off the bat by Joe+Snipe · 2009-11-05 07:28 · Score: 4, Funny

First dupe articles, now dupe posts!

--
Sometimes, life itself is sarcasm...

Hard to care anymore by belthize · 2009-11-05 07:28 · Score: 5, Interesting

I find it harder and harder to really give a shit anymore. All of our systems (linux, Windows ,OSX) all have various automatic patching schemes. Once the vendor gets around to fixing their crap (Adobe in this case) we'll ingest the patch and move on.

Once upon a time I monitored the various security announcement lists but ultimately it didn't matter. Most of this crap has become mission critical so turning it off isn't an option, fixing it yourself is rarely and option so you're left with wait and patch solution.

I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues.

Re:Hard to care anymore by BitZtream · 2009-11-05 07:52 · Score: 4, Insightful

As a dev, autoupdates are evil. It's great if the updates don't change the behavior of whatever is being updated, but it sucks ass when those updates break or as MS is so fond of, remove functionality.
I've spent the last two months straight dealing work arounds for MS patches that have done this and are rolled out across 15k machines overnight.
Autoupdates are dangerous things. You get unexpected changes with no apparent reason. You have become the beta tester for software companies, and it's become accepted since they will patch it later. Hell, video game consoles are now rolling out buggy games sooner than they should because they can 'patch them later'
how about we up our standards a luittle instead and start requiring better engineering instead of treating updates as acceptable and normal

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Re:Hard to care anymore by belthize · 2009-11-05 08:00 · Score: 1

I started to clarify in my initial post but didn't feel like it. We don't *autopatch* anything. We apply applicable patches after testing.
It doesn't change the initial point about not really stressing about announced vulnerabilities. Nothing I can do till they get around to patching it, at which point we'll test and release, though not in this case since we blessedly have no shockwave reqs.
Re:Hard to care anymore by tacokill · 2009-11-05 11:51 · Score: 1

how about we up our standards a luittle instead and start requiring better engineering instead of treating updates as acceptable and normal

Which option do you think costs less?
There's your answer.
Re:Hard to care anymore by maztuhblastah · 2009-11-05 14:03 · Score: 1

As a dev, autoupdates are evil. It's great if the updates don't change the behavior of whatever is being updated, but it sucks ass when those updates break or as MS is so fond of, remove functionality.

Autoupdates are dangerous things. You get unexpected changes with no apparent reason
It doesn't have to be that way...
Come, friend... come and try stable. We'll treat you right.

--
The real litigious bastards...
Re:Hard to care anymore by Sigma+7 · 2009-11-05 17:57 · Score: 1

Which option do you think costs less?

Do you count the cost of a bad reputation if you release a game like Big Rigs?
If a game is critically buggy, it's available for one week, and that's it. My most recent experience is with Ghost Recon Advanced Warfighter; while I could say that it is a passable co-op game, it has a critical bug which Ubisoft support believes is a problem with an outdated video card driver. Because of that, I can't recommend it.
Re:Hard to care anymore by Yvanhoe · 2009-11-05 19:51 · Score: 1

MS won't patch it (not one of their softwares), Firefox will not upgrade it automatically (for a reason I fail to understand) as it is a plugin, Ubuntu doesn't have a patch yet. Maybe debian is up to date... But flash has been a pain in the neck as it almost always required me to care individually of it. However, because this kind of vulnerability has always been a risk, I am using Adblock+NoScript

--
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Re:Hard to care anymore by L0rdJedi · 2009-11-06 05:51 · Score: 1

Why aren't you using an update server? Then you could just point the machines at that and hold the patches there until you've had a chance to test them. I've only got about 60 machines to keep track of and that's what I do. We didn't install IE7 until our CRM software (Goldmine) was compatible. I think I had to hold it back for about 2 months. Once I updated the machines, that forced our other vendor, that was writing a custom web app, to update their code ("No, I will not walk around to 40+ computers and uninstall IE7. Fix your code").
I don't test every single patch that comes through, but I also don't have 15k machines to manage. I would think, with that many machines, most, if not all, would be the same hardware, making it relatively easy to install the patch on one machine (or one group of machines), test everything, and then release it company wide if it passes the tests.
I think the biggest problem we had recently was an IE patch that caused Windows Explorer to not work properly. Every person with that problem hadn't restarted after the update. One restart later, everything was fine.

Re:Remind a noob... by Reason58 · 2009-11-05 07:32 · Score: 4, Informative

What's the difference between Shockwave and Flash?

Or are they the same thing? If so, why two names for it?

You're welcome.

If you get an error installing Shockwave... by ThreeGigs · 2009-11-05 07:37 · Score: 3, Informative

If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.

Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

Alternatively you can save a copy of the edited boot.ini, set the attribs to +r +a +s +h, and rename as necessary in case (read: when) you need to disable DEP again in the future.

I figure a lot of users are going to have this problem (again), as Adobe still hasn't fixed this bug.

Re:If you get an error installing Shockwave... by WD · 2009-11-05 07:48 · Score: 3, Informative

If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.
Re:If you get an error installing Shockwave... by Anonymous Coward · 2009-11-05 07:49 · Score: 5, Informative

Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?
If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.
To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.
Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.
Re:If you get an error installing Shockwave... by Anonymous Coward · 2009-11-05 07:49 · Score: 4, Informative

And I want to run an application that executes in its data area why?
It would be different if the installer intentionally used some sort of self modifying code system.
But the only possible explanation for why a Shockwave updater fails to run with DEP enabled, is that at least one of its threads is doing some sort of buffer overrun and running off into the woods. It just usually doesn't break things bad enough to make the installation fail, unless DEP actually stops the thread.
Not exactly the type of program I want to be running on my computer.
Re:If you get an error installing Shockwave... by tokul · 2009-11-05 07:55 · Score: 1

If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

Even Windows thinks that Shockwave is malware. :)
Re:If you get an error installing Shockwave... by ThreeGigs · 2009-11-05 08:40 · Score: 2, Informative

Been there done that, and DEP status doesn't change unless a reboot happens. And if you've got DEP set to optin in boot.ini, it'll always re-enable itself. Yes, there are other ways to change it, but I always preferred to go directly to the root.
Re:If you get an error installing Shockwave... by Hurricane78 · 2009-11-05 08:48 · Score: 1

I have no C:, you insensitive clod!
(I have a root though.)

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Re:If you get an error installing Shockwave... by mister_playboy · 2009-11-05 08:59 · Score: 1

If you have WINE, you could use "Z:"... :)

--
Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
Re:If you get an error installing Shockwave... by Spad · 2009-11-05 09:20 · Score: 1

Sophos AV's heuristics scanning (HIPS) goes mental when you try and install Shockwave; it gets flagged as suspicious behaviour and a buffer overrun risk (Incidentally, Adobe Reader is the same).
Re:If you get an error installing Shockwave... by lennier · 2009-11-05 10:00 · Score: 1

"And I want to run an application that executes in its data area why?"
If it's using any kind of virtual machine with a dynamic languge and a just-in-time compiler (like Forth or Lisp or maybe an efficient implementation of Javascript), it might need to compile bytecode to x86 code and then execute it. How else are we going to implement these languages? "Nobody needs a dynamic language with incremental compilation, everyone should have separate run and compile phases" isn't really a long-term answer.

--
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Re:If you get an error installing Shockwave... by operagost · 2009-11-05 10:03 · Score: 1

So... why are you removing the "archive" attribute? Just like that doing that spells the word "rash"?

--

Gamingmuseum.com: Give your 3D accelerator a rest.
Re:If you get an error installing Shockwave... by EXrider · 2009-11-05 10:21 · Score: 1

It needs to execute code from the data segment to install!? What a piece! Just un-install it and be done with it.

--
grep -iw skynet /etc/services
Re:If you get an error installing Shockwave... by John+Hasler · 2009-11-05 10:38 · Score: 1

> How else are we going to implement these languages?
Via interpreters.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:If you get an error installing Shockwave... by blincoln · 2009-11-05 10:58 · Score: 1

And I want to run an application that executes in its data area why?
There are two kinds of "DEP" in Windows - hardware DEP, and software "DEP". The software "DEP" is not literally "data execution prevention", it involves blocking the use of exceptions which aren't registered in a global table, or something along those lines. Yes, software that violates it is probably not great, but sometimes an alternative isn't available.

--
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Re:If you get an error installing Shockwave... by yuhong · 2009-11-05 15:33 · Score: 1

Except that this boot.ini way to disable DEP disable DEP for ALL APPLICATIONS!
Re:If you get an error installing Shockwave... by yuhong · 2009-11-05 15:37 · Score: 1

The software "DEP" is not literally "data execution prevention", it involves blocking the use of exceptions which aren't registered in a global table, or something along those lines.
Yep, that is called SafeSEH. OS support for using the SafeSEH table was introduced in Windows Server 2003 and XP SP2, and compiler support for generating this table was introduced in Visual C++ 2003.

dumb users by xxuserxx · 2009-11-05 07:47 · Score: 1

To me this just seems like user stupidity. You can have your computer hijacked a million different ways however if you pay attention to what you click you can avoid most.

Re:Government by John+Hasler · 2009-11-05 07:52 · Score: 4, Informative

> Is he worried the gov will abuse this hole?

No. He's worried that that the government is going to make their data inaccessible to anyone who doesn't install a useless piece if junk that would make their computer insecure.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.

Re:Remind a noob... by EvilBudMan · 2009-11-05 07:55 · Score: 1

I still don't get why they have two of these? Oh, I remember the Macromedia buyouts. I don't think I have Shockwave installed. I didn't think it was being used anymore.

Re: user stupidity by Dystopian+Rebel · 2009-11-05 07:56 · Score: 1

It is much easier to patch 700 million PCs than it is to make stupid people smarter.

And we're clearly not doing such a good job of patching 700 million PCs.

--
Rich And Stupid is not so bad as Working For Rich And Stupid.

Holy crap! When did linux get here? by Petersko · 2009-11-05 08:03 · Score: 1

To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.

If I hadn't looked closely I would have assumed this was a relatively painless set of steps an end user would need for doing some workaround in linux.

Actually, adobe has pissed me off many times. Shockwave, in particular, is a bitch to remove because Adobe gets all funky with file permissions - unnecessarily.

Even Adobe can't explain Shockwave properly. by Animats · 2009-11-05 08:06 · Score: 4, Informative

Even Adobe can't explain Shockwave properly.

Shockwave is a real 3D system usable as a decent game engine. At one time, it even had the Havok physics engine, but Adobe didn't keep up the payments and had to take that out. Try BMX Street Rider, which is a reasonably decent free-play game in a modest sized city. It's way ahead of the proposed hacks for doing 3D with Javascript.

What killed Shockwave for trivial applications is "LOADING..." problems. Flash can start before all the content has been loaded, because Flash has two interleaved streams, a timeline and assets. As soon as you have enough assets for the stuff needed by the timeline so far, Flash can go. So you can write Flash that starts fast and loads assets in the background.

Re:Even Adobe can't explain Shockwave properly. by azav · 2009-11-05 15:28 · Score: 2, Informative

NO. Shockwave is Director content compressed for playback over the internet. Director supports xtras, much like Potoshop supports plugins. One of those plugins is a 3D environment, Flash is another. Director is a timeline based bitmap, text, video and vector animation tool with an object oriented scripting language in verbose, dot and javascript syntaxes. Director content can be played back in a standalone disk based app or through a browser that has the Shockwave plugin installed.
Director content can also stream in as needed, with a minimum of the content loading, so your comment about "LOADING..." problems is untrue.

--
- Zav - Imagine a Beowulf cluster of insensitive clods...
Re:Even Adobe can't explain Shockwave properly. by chilbert · 2009-11-06 07:23 · Score: 1

It's a bit more than that... Shockwave dates back to the pre-web days when lots of interactive material was developed for CD-ROM and kiosks. Macromedia Director was the pre-eminent authoring tool for those kinds of content, and Shockwave is an embeddable Director player. But Director/Shockwave never transitioned successfully to the web, partly because of the "Loading..." problem, but also because much interesting Director content depended on a huge variety of valuable client-side plugins called XCommands and XObjects that (as I recall) weren't available in Shockwave, for security reasons. Director remains a great authoring tool for content that runs locally, and more so for all kinds of interactive prototyping that needs to connect with client-side extensions of any kind.

Government not using Shockwave... ? by CannonballHead · 2009-11-05 08:13 · Score: 1

Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

Adobe is pushing for Flash and PDF... not Shockwave and PDF...

Re:Government not using Shockwave... ? by John+Hasler · 2009-11-05 08:18 · Score: 1

So? It's still ridiculous to use it on such a site.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Re:Government not using Shockwave... ? by CannonballHead · 2009-11-05 08:28 · Score: 1

I agree. I'm saying the summary is incorrect.
Re:Government not using Shockwave... ? by CannonballHead · 2009-11-05 10:28 · Score: 1

It sounded like the summary is trying to say Adobe was pushing for Shockwave to be mandatory for government-kept information access.

Are their FOSS alternatives to Flash and Shockwave by AP31R0N · 2009-11-05 08:20 · Score: 1, Interesting

1) Are there FOSS alternatives to Flash and/or Shockwave?

2) Why(not)?

3) If there was, would it help reduce problems like this?

Please don't mod me as trolling for asking questions!

--
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!

Simlpe dont use any adobe products by hesaigo999ca · 2009-11-05 08:20 · Score: 2, Funny

I just dont use adobe products anymore, either flash, or shockwave, are too seriously integrated into our pcs, that when the day comes that skynet is self aware, that will be the first application it looks to to take over all pcs around the world....have we not learned anything from terminator?

Re:Simlpe dont use any adobe products by brkello · 2009-11-05 10:25 · Score: 1

If you think about it, this is a good thing. Skynet will probably have some adobe products on it somewhere which we can use to hack in to it and disable it, thus saving us all. Adobe has been protecting us from skynet since its inception.

--
Support a great indie game: http://www.abaddon360.com

Re:Just in case... by clone53421 · 2009-11-05 08:23 · Score: 4, Informative

I did too – then I realized that I didn't have Shockwave in the first place. I had Flash, which is different. Now I'm considering uninstalling Shockwave again, because I didn't need it before and I don't expect to need it in the future.

Are you sure you had it to begin with?

"Shockwave Flash" is Flash (plays .swf files). "Shockwave for Director" is Shockwave (uses .dcr files).

Yes, it's confusing. You can thank Adobe for that.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.

Re:Are their FOSS alternatives to Flash and Shockw by supersloshy · 2009-11-05 08:39 · Score: 3, Informative

Google Gnash and Swfdec; they're coming along nicely, but aren't 100% replacements as of yet.

--
"Our country is not nearly so overrun with the bigoted as it is overrun with the broadminded." -Archbishop Fulton Sheen

Re:Are their FOSS alternatives to Flash and Shockw by slimjim8094 · 2009-11-05 08:44 · Score: 2, Informative

1. Yes/no.
2. See above. Nobody cares about Shockwave, though.
3. Yes.

It's called Gnash. See http://www.gnu.org/software/gnash/
There's also a few others, such as http://swfdec.freedesktop.org/wiki/ . Gnash is probably better.

--
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.

Here are the shockwave stats - could be a problem by Anonymous Coward · 2009-11-05 08:59 · Score: 5, Informative

Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):

Not installed => 67.54%
11,0,0,0 => 2.86%
10,2,0,0 => 2.84%
10,1,0,0 => 2.59%
11,0,0,465 => 2.41%
11,5,0,0 => 2.05%
11,5,1,601 => 1.90%
8,5,1,0 => 1.75%
10,1,4,0 => 1.73%
11,0,0,429 => 1.58%
11,0,3,472 => 1.56%
10,1,1,0 => 1.53%
11,5,0,596 => 1.46%
11,5,0,600 => 1.38%
11,0,3,471 => 1.35%
11,5,0,595 => 1.21%
11,0,0,458 => 0.93%
10,3,0,0 => 0.78%
11,0,3,470 => 0.66%
8,0,0,0 => 0.43%
10,1,3,0 => 0.37%
8,5,0,0 => 0.32%
11,0,3,0 => 0.23%
10,0,0,0 => 0.16%
10,0,1,0 => 0.11%
7,0,0,0 => 0.10%
11,5,1,0 => 0.08%
10,4,0,0 => 0.04%
6,0,0,0 => 0.03%

What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.

I will publish a more in-depth report later today here: http://www.statowl.com/ in the plugin section. I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....

Re:Are their FOSS alternatives to Flash and Shockw by AP31R0N · 2009-11-05 08:59 · Score: 1

Thanks, i've added those to my Del.ico.us for later investigation. :)

--
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!

the joy of learned helplessness by epine · 2009-11-05 09:01 · Score: 1

Would you believe, that's the second biggest rootkit I've ever seen?

I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues

Pretty much where I'm at while I continue to throw good coin at my local robocall entitlement company and diligently recycle dead trees hand delivered by my local robomail entitlement crown corp. There used to be a number of disposable single blade razors that worked well for me, all since driven out of the market. Now I lease my triple-blade manhood from Warren Buffett at triple the price.

Ah yes, the old "and loving it" trick.

Re:People still use Shockwave? by vtcodger · 2009-11-05 09:06 · Score: 1

***I'm a Linux user, you insensitive clod!***

Well, maybe Shockwave will run in WINE. Or VMplayer, vbox, or qemu. There must be 50 ways to get your Linux PC infected with Windows malware if you'd just try.

--
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey

Got rid of my Shockwave. by antdude · 2009-11-05 09:22 · Score: 1

I rarely see Web sites use Shockwave. And if I do, it usually games. 99% of the stuff I see are in Flash. If I need it, I will just reinstall, look/use, and then uninstall it.

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).

This is not the same thing as flash player... by mario_grgic · 2009-11-05 09:23 · Score: 1

IF you look in Firefox add-ons/plugins it will be listed as

"Shockwave for Director 11.5.2.602"

whereas regular flash player is listed as

"Shockwave Flash 10.0.32.18"

I don't think 450,000,000 desktops out there have a shockwave player installed? I doubt it is that popular.

--
As the island of our knowledge grows, so does the shore of our ignorance.

Re:Here are the shockwave stats - could be a probl by caffeinejolt · 2009-11-05 09:25 · Score: 1

what exactly does "upgrade movement" mean?

That means that it would appear shockwave users do not frequently upgrade. They probably had to install the plugin to view something and then they forget about it. In this case, this may leave more people open to attack.

Re:Are their FOSS alternatives to Flash and Shockw by TheDarkener · 2009-11-05 09:28 · Score: 2, Interesting

2. See above. Nobody cares about Shockwave, though.

Nay, say I and the (many) school districts who visit shockwave-only educational sites. Not having Shockwave Director available on Linux has cost me clients. Talk about a slap in the face for trying to give schools a break by using good software, because they are too attached to bad software..

--
It is pitch black. You are likely to be eaten by a grue.

Anyone else have a problem after updating? by Anonymous Coward · 2009-11-05 09:29 · Score: 1, Interesting

Rolled this out to a small lab (you know how students are, and where they can go, better safe than...).

After installation, *all* users are asked to individually install another component when the Shock embed in the open page attempts to play (which as non-admins, they can't do). Since several of our teaching programs Shockwave this presents a real PITA.

Previously there was no such behavior. Any ideas?

Re:Anyone else have a problem after updating? by oDDmON+oUT · 2009-11-05 13:38 · Score: 1

Try going somewhere with a shockwave embed as an admin, let the install mechanism do it's download happy dance, then have someone with user privileges do the same. I think you'll find that the problem is solved.

--
Some days it's just not worth
chewing through my restraints.

*Title double-take* by JeanPaulBob · 2009-11-05 10:20 · Score: 1

Oh, so this isn't a story about astronomy... what a relief!

Re:Let's Clear the Confusion off the bat by selven · 2009-11-05 10:30 · Score: 1

with dupe jokes, and dupe +5 mods.

and finally a dupe commenting on all the dupes from top to bottom.

surely there must be something original....

"You're very clever, young man, very clever", said the old lady. "But it's DUPES all the way down!"

Re:Remind a noob... by DigitAl56K · 2009-11-05 10:41 · Score: 1

From that article:

(Sometimes you might hear someone refer to "Shockwave Flash", but these are actually two different multimedia players.)

Now go look in the Firefox plugins list (Tools->Add-ons). Yeah... I wonder why people get confused..

Re:Government by Culture20 · 2009-11-05 12:05 · Score: 1

Back when there was a serious MS excel bug, there was a State agency website in Iowa(?) that was serving up an infected xls file for some semi-important accounting thing.

Re:Remind a noob... by azav · 2009-11-05 15:23 · Score: 1

One plays back Flash content in the browser, the other plays back Director content in the browser. Adobe bungled the user perception of this continuing in Macromedia's tradition.

--
- Zav - Imagine a Beowulf cluster of insensitive clods...

Short stupidity story of the day here -- by WoodenTable · 2009-11-05 15:44 · Score: 1

I checked my firefox addons list and sure enough, Shockwave was in there. The plugins were Disabled. Well, I might as well get rid of it if I never use it, no? And so the hunt began. I checked my add/remove list. Nope, not there. I tried searching for its files, but still couldn't find it. I googled how to uninstall it, fretted over the invisible and uninstallable evil program with security holes hiding on my computer as I navigated some links, checked the firefox plugin page, and after ten or so minutes I discovered... ... that I don't actually have Shockwave. Just the firefox plugins, which came along for the ride when I copied firefox over from my old computer.

D'oh.

Re:People still use Shockwave? by V!NCENT · 2009-11-05 22:21 · Score: 1

That's actually a smart thing to do: Install Wine, then the Windows version of Firefox and Flash. It is then run from inside you home folder and can't change anything that requires roo-... Ow shit... the home folder :')

--
Here be signatures

Re:Just in case... by left00coaster · 2009-11-06 00:15 · Score: 1

Actually, I think all the 'thanks' is actually owed to Macromedia, who created both formats and steadfastly maintained them as overlapping (and therefore confusing) functionalities, until Adobe stepped in and bought them up.

Re:Just in case... by clone53421 · 2009-11-06 01:40 · Score: 1

See?! It's so confusing that I was still confused and didn't know it!

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.

Look out for extra crap during patching by MrSteveSD · 2009-11-06 06:03 · Score: 1

The last Adobe flash update installed McAfee Security Scan without my even noticing. So watch out for those pre-check boxes.

Re:Just in case... by bipbop · 2009-11-06 12:56 · Score: 1

Actually, Macromedia only created Director, back in 1985 (dates taken from Wikipedia timelines). FutureWave Software created Flash (then called FutureSplash) in 1996, eleven years later, as a competitor. Macromedia got scared, so they bought up Flash. But Macromedia definitely made things confusing after they bought it, as you say!

So many programs, so much laziness... by Laptopdude · 2009-11-10 12:44 · Score: 1

Only a month or so ago, I still had Shockwave 9 installed. I'm sure I'm not alone in saying I have a good number of programs installed on my computer, and keeping track of which ones need updates is a real chore that I usually just (unwisely) ignore. But, then I found this great free program called Secunia PSI. Every week I just click "Scan" and it compares the software installed on my computer, including windows, with an online database, and reports anything that has known security vulnerabilities.

Slashdot Mirror

Shockwave Vulnerabilities Affect More Than 450 Million Systems

99 of 130 comments (clear)