Shockwave Vulnerabilities Affect More Than 450 Million Systems

Trinity writes "Researchers from VUPEN have discovered critical vulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

Hard to care anymore

[belthize]

I find it harder and harder to really give a shit anymore. All of our systems (linux, Windows ,OSX) all have various automatic patching schemes. Once the vendor gets around to fixing their crap (Adobe in this case) we'll ingest the patch and move on.

Once upon a time I monitored the various security announcement lists but ultimately it didn't matter. Most of this crap has become mission critical so turning it off isn't an option, fixing it yourself is rarely and option so you're left with wait and patch solution.

I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues.

Re:If you get an error installing Shockwave...

Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?

If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.

Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

Re:Flashblock

[Tubal-Cain]

They seem to have surpassed Microsoft in their zeal to get your PC infected...

And considering that they have more marketshare than Microsoft, they can actually pull it off.

Here are the shockwave stats - could be a problem

Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):

Not installed => 67.54%
11,0,0,0 => 2.86%
10,2,0,0 => 2.84%
10,1,0,0 => 2.59%
11,0,0,465 => 2.41%
11,5,0,0 => 2.05%
11,5,1,601 => 1.90%
8,5,1,0 => 1.75%
10,1,4,0 => 1.73%
11,0,0,429 => 1.58%
11,0,3,472 => 1.56%
10,1,1,0 => 1.53%
11,5,0,596 => 1.46%
11,5,0,600 => 1.38%
11,0,3,471 => 1.35%
11,5,0,595 => 1.21%
11,0,0,458 => 0.93%
10,3,0,0 => 0.78%
11,0,3,470 => 0.66%
8,0,0,0 => 0.43%
10,1,3,0 => 0.37%
8,5,0,0 => 0.32%
11,0,3,0 => 0.23%
10,0,0,0 => 0.16%
10,0,1,0 => 0.11%
7,0,0,0 => 0.10%
11,5,1,0 => 0.08%
10,4,0,0 => 0.04%
6,0,0,0 => 0.03%

What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.

I will publish a more in-depth report later today here: http://www.statowl.com/ in the plugin section. I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....