Topic 'Re: Flaws in Adobe Shockwave' in forum 'Security' - dslreports.com

Re: Flaws in Adobe Shockwave

Mon, 24 Dec 2012 00:19:33 EDT

siljaline posted : Although this Wikipedia article has multiple issues and is outdated in some ways, it's probably the best resource on the subject there is.
»en.wikipedia.org/wiki/Adobe_Shockwave

Re: Flaws in Adobe Shockwave

Sun, 23 Dec 2012 22:37:04 EDT

Dustyn posted :

said by antdude:

Isn't Shockwave only used for games? I never understood why they need this when they have Flash!

Not sure but I think Shockwave still has potential.
I found it a hell of a lot more useful in the mid to late 90's. I still continue to install and support the installation of updates to Shockwave, but I see little use of it right now.

Found this little quote on differences between Flash and Shockwave:

The difference between the Macromedia Flash and Shockwave Players

Flash and Shockwave Players are both free web Players from Adobe. Together, they bring you the best rich media content on the Internet. Each has a distinct purpose. Flash Player delivers fast loading front-end web applications, high-impact web site user interaction, interactive online advertising, and short to medium form animation.

Shockwave Player displays destination web content such as interactive multimedia product demos and training, e-merchandising applications, and rich-media multi-user games. Through Xtras, Shockwave Player is also extendable to playback custom-built applications.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP

Re: Flaws in Adobe Shockwave

Sun, 23 Dec 2012 22:06:46 EDT

antdude posted : Isn't Shockwave only used for games? I never understood why they need this when they have Flash!

Re: Flaws in Adobe Shockwave

Sat, 22 Dec 2012 01:25:52 EDT

siljaline posted : Adobe to patch 2-year-old Shockwave vulnerability next year

quote:
Adobe plans in February to close a dangerous hole in its Shockwave application that causes the application to be downgraded when a user launches older multimedia content, allowing hackers to target years-old vulnerabilities.

The U.S. Computer Emergency Readiness Team (U.S. CERT) issued an Advisory on the vulnerability, which could allow an attacker to deliver malware and execute arbitrary code, considered to be one of the most dangerous kinds of flaws.

U.S. CERT notified Adobe of the problem on Oct. 27, 2010, but an Adobe spokesperson said Wednesday that the problem will be closed with the next major upgrade of Shockwave, scheduled for Feb. 12.

Article

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 21:37:30 EDT

Sindows 7 posted :

said by therube:

It was always difficult to differentiate the Flash Player from the Shockwave Player when discussing one or the other or one from the other.

Seems to me that in the past they called this "Adobe Shockwave Flash Player".
Now it looks like they more simply & more clearly call it "Adobe Shockwave Player".

At least that is good :-).

I would think that for the majority who may have it installed, likely a default install from some store-bought computer, they never actually have had the need to use it, so the obvious thing to do, if you don't need it, is to uninstall it.

(As if Flash alone isn't bad enough ;-).)

yep I'm at a loss on this one

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 20:27:51 EDT

siljaline posted : Good catch on the older Kreb's article, hurleyp Uninstalled

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 19:57:42 EDT

hurleyp posted : Brian Krebs notes that this problem was identified in October 2010, but Adobe won't be fixing it until February 2013. :o

»krebsonsecurity.com/2012/12/shoc···ave-bug/

As the article notes, if you aren't using Adobe Shockwave (and remember, this isn't Adobe Flash) then get rid of it.
--
"I reject your reality and substitute my own."

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 18:39:48 EDT

siljaline posted : As this has just broke as of late yesterday or today.
It may not be clear what all attack vectors are.
Adobe users are probably best served uninstalling Shockwave if absolutely not required.

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 18:36:45 EDT

siljaline posted : I've just uninstalled Shockwave as it's a trivial application in my case. Until Adobe fixes yet another mess.
CERT is now saying it's apt to downgrading :uhh:
»www.kb.cert.org/vuls/id/546769

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 18:27:46 EDT

Juggernaut posted : I may be wrong but, why do I get the feeling these vectors are exploited because Adobe has its SW phoning home about user data?

Just a thought.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein

Re: Flaws in Adobe Shockwave

Wed, 19 Dec 2012 16:46:50 EDT

therube posted : It was always difficult to differentiate the Flash Player from the Shockwave Player when discussing one or the other or one from the other.

Seems to me that in the past they called this "Adobe Shockwave Flash Player".
Now it looks like they more simply & more clearly call it "Adobe Shockwave Player".

At least that is good :-).

I would think that for the majority who may have it installed, likely a default install from some store-bought computer, they never actually have had the need to use it, so the obvious thing to do, if you don't need it, is to uninstall it.

(As if Flash alone isn't bad enough ;-).)

Flaws in Adobe Shockwave

Wed, 19 Dec 2012 16:28:14 EDT

siljaline posted : US-CERT Warns of Three Remotely Exploitable Flaws in Adobe Shockwave

Attackers could exploit three Adobe Shockwave flaws to remotely execute code on vulnerable systems, according to three advisories published by US-CERT this week.

quote:
The United States Computer Emergency Response Team (US-CERT) issued three separate vulnerability notices pointing out flaws in Adobe's Shockwave Player. One issue has to do with how extensions are used in Shockwave Player, while another refers to the outdated version of Flash Player being bundled into Shockwave Player. The final issue is a design flaw and allows attackers to force users to use a more vulnerable version of the player.

Attackers can trick users into viewing malicious Shockwave movies and take advantage of the security holes to remotely execute code on vulnerable computers, US-CERT said. No fix is available for any of these issues at this time, according to the Advisory

Article.