exe file might have been produced for PC playback of the same file.Īs a former Macromedia and Adobe employee who used all these authoring programs it is no surprise that Adobe is “late to the game” in updating Shockwave to the current Flash library as it will require a bit of testing that inevitably will not catch every possible “glitch” of using the 2 technologies together but the security issues should be easier to address. dcr (Director Compressed Resource) is what is published from Adobe Director for web playback, alternatively a. Overall the comments above are accurate if you don’t need it get rid of it. This entry was posted on Wednesday 21st of May 2014 09:05 AM Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin - not Adobe Shockwave Player. To remove Shockwave, grab Adobe’s uninstall tool here. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. “We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.įor those who need Shockwave Player installed for some reason, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET 4.1 or higher)) can help prevent the exploitation of this weakness. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”Īdobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH. “One of the things that helps make a vulnerability more difficult is how many of the exploit mitigations a vendor opts in to. “So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH. “So architecturally, it’s just flawed to provide its own Flash.”ĭormann said he initially alerted the public to this gaping security hole in 2012 via this advisory, but that he first told Adobe about this lackluster update process back in 2010.Īs if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. “Flash updates can come frequently, but Shockwave not so much,” Dormann said. Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. By my count, Adobe has issued nearly 20 separate security updates for Flash since then, including fixes for several dangerous zero-day vulnerabilities. In a recent post on the release of the latest bundle of security updates for Adobe’s Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes. My re-education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon University’s CERT. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it. This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |