Trinity writes "Researchers from VUPEN have discovered criticalvulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.
I'm surprised that anybody's surprised that a new Adobe exploit has surfaced, They seem to have surpassed Microsoft in their zeal to get your PC infected; Microsoft seems to hava actually been getting better in the last couple of years. Or Microsoft seems to at least be trying. Adobe doesn't seem to care.
Being a Director developer, there are some things Director can do that Flash can't:
Control embedded PDF files Manipulate bitmaps Create 3D scenes with physics Make network calls through proxy servers Access/Modify system resources Wider range of media support
Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.
As there are over a billion computers with Windows vulnerabilities and countless other "at risk" applications that get patched regularly this doesn't sound like a situation all that out of the ordinary. And as with Windows some users will update and some will remain at risk.
I find it harder and harder to really give a shit anymore. All of our systems (linux, Windows,OSX) all have various automatic patching schemes. Once the vendor gets around to fixing their crap (Adobe in this case) we'll ingest the patch and move on.
Once upon a time I monitored the various security announcement lists but ultimately it didn't matter. Most of this crap has become mission critical so turning it off isn't an option, fixing it yourself is rarely and option so you're left with wait and patch solution.
I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues.
As a dev, autoupdates are evil. It's great if the updates don't change the behavior of whatever is being updated, but it sucks ass when those updates break or as MS is so fond of, remove functionality.
I've spent the last two months straight dealing work arounds for MS patches that have done this and are rolled out across 15k machines overnight.
Autoupdates are dangerous things. You get unexpected changes with no apparent reason. You have become the beta tester for software companies, and it's become accepted since they will patch it later. Hell, video game consoles are now rolling out buggy games sooner than they should because they can 'patch them later'
how about we up our standards a luittle instead and start requiring better engineering instead of treating updates as acceptable and normal
I started to clarify in my initial post but didn't feel like it. We don't *autopatch* anything. We apply applicable patches after testing.
It doesn't change the initial point about not really stressing about announced vulnerabilities. Nothing I can do till they get around to patching it, at which point we'll test and release, though not in this case since we blessedly have no shockwave reqs.
Would you believe, that's the second biggest rootkit I've ever seen?
I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues
Pretty much where I'm at while I continue to throw good coin at my local robocall entitlement company and diligently recycle dead trees hand delivered by my local robomail entitlement crown corp. There used to be a number of disposable single blade razors that worked well for me, all since driven out of the market. Now I lease my triple-blade manho
If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.
To disable: Look in the root of your C: drive for boot.ini. Start a command line. Attrib c:\boot.ini -r -a -s -h Edit boot.ini (In notepad) Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc) Save boot.ini. In the command window type attrib c:\boot.ini +r +a +s +h Reboot. DEP is now disabled. Install the Shockwave Player update.
Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.
Alternatively you can save a copy of the edited boot.ini, set the attribs to +r +a +s +h, and rename as necessary in case (read: when) you need to disable DEP again in the future.
I figure a lot of users are going to have this problem (again), as Adobe still hasn't fixed this bug.
If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.
by Anonymous Coward
on Thursday November 05, @02:49PM (#29998598)
Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?
If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.
To disable: Look in the root of your C: drive for boot.ini. Start a command line. Attrib c:\boot.ini -r -a -s -h Edit boot.ini (In notepad) Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc) Save boot.ini. In the command window type attrib c:\boot.ini +r +a +s +h Reboot. DEP is now disabled. Install the Shockwave Player update.
Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.
Been there done that, and DEP status doesn't change unless a reboot happens. And if you've got DEP set to optin in boot.ini, it'll always re-enable itself. Yes, there are other ways to change it, but I always preferred to go directly to the root.
by Anonymous Coward
on Thursday November 05, @02:49PM (#29998600)
And I want to run an application that executes in its data area why?
It would be different if the installer intentionally used some sort of self modifying code system.
But the only possible explanation for why a Shockwave updater fails to run with DEP enabled, is that at least one of its threads is doing some sort of buffer overrun and running off into the woods. It just usually doesn't break things bad enough to make the installation fail, unless DEP actually stops the thread.
Not exactly the type of program I want to be running on my computer.
Sophos AV's heuristics scanning (HIPS) goes mental when you try and install Shockwave; it gets flagged as suspicious behaviour and a buffer overrun risk (Incidentally, Adobe Reader is the same).
To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.
If I hadn't looked closely I would have assumed this was a relatively painless set of steps an end user would nee
Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.
Adobe is pushing for Flash and PDF... not Shockwave and PDF...
2. See above. Nobody cares about Shockwave, though.
Nay, say I and the (many) school districts who visit shockwave-only educational sites. Not having Shockwave Director available on Linux has cost me clients. Talk about a slap in the face for trying to give schools a break by using good software, because they are too attached to bad software..
I just dont use adobe products anymore, either flash, or shockwave, are too seriously integrated into our pcs, that when the day comes that skynet is self aware, that will be the first application it looks to to take over all pcs around the world....have we not learned anything from terminator?
by Anonymous Coward
on Thursday November 05, @03:59PM (#29999618)
Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):
What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.
I will publish a more in-depth report later today here: http://www.statowl.com/ [statowl.com] in the plugin section [statowl.com]. I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....
I still don't get why they have two of these? Oh, I remember the Macromedia buyouts. I don't think I have Shockwave installed. I didn't think it was being used anymore.
Shockwave is a real 3D system usable as a decent game engine. At one time, it even had the Havok physics engine, but Adobe didn't keep up the payments and had to take that out. Try BMX Street Rider [swgamers.com], which is a reasonably decent free-play game in a modest sized city. It's way ahead of the proposed hacks for doing 3D with Javascript.
What killed Shockwave for trivial applications is "LOADING..." problems. Flash can start before all the content has been loaded, because Flash has two interleaved streams, a timeline and assets. As soon as you have enough assets for the stuff needed by the timeline so far, Flash can go. So you can write Flash that starts fast and loads assets in the background.
NO. Shockwave is Director content compressed for playback over the internet. Director supports xtras, much like Potoshop supports plugins. One of those plugins is a 3D environment, Flash is another. Director is a timeline based bitmap, text, video and vector animation tool with an object oriented scripting language in verbose, dot and javascript syntaxes. Director content can be played back in a standalone disk based app or through a browser that has the Shockwave plugin installed.
No. He's worried that that the government is going to make their data inaccessible to anyone who doesn't install a useless piece if junk that would make their computer insecure.
I did too – then I realized that I didn't have Shockwave in the first place. I had Flash, which is different. Now I'm considering uninstalling Shockwave again, because I didn't need it before and I don't expect to need it in the future.
Are you sure you had it to begin with?
"Shockwave Flash" is Flash (plays.swf files). "Shockwave for Director" is Shockwave (uses.dcr files).
Yes, it's confusing. You can thank Adobe for that.
Well, maybe Shockwave will run in WINE. Or VMplayer, vbox, or qemu. There must be 50 ways to get your Linux PC infected with Windows malware if you'd just try.
Flashblock (Score:4, Insightful)
Not just a good idea. It's the law.
Re:Flashblock (Score:5, Informative)
The only reason to use Shockwave in the past was that it was scriptable. Flash has been scriptable since version 5.
Parent
Re: (Score:2)
It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.
In my Firefox, it's called "Shockwave Flash" - one plugin that does both.
Re:Flashblock (Score:5, Informative)
No, it's two different plugins.
1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5
You can have 1 without 2, latest versions.
Looks some crazed half-forgotten branding initiative.
Interestingly, the player test page http://www.adobe.com/shockwave/welcome/ [adobe.com] tries to install an old version if you have only Flash:
Macromedia Shockwave Player 10.1
That's the old branding and an old version. But anyway it fails to install. Maybe Adobe is confused by my nightly version of Firefox.
Parent
Re: (Score:2)
No, it's two different plugins.
1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5
Yes. This. Also, that's confusing as hell.
Re:Flashblock (Score:4, Informative)
Flash didn't have Shockwave's 3D acceleration until version 10 of Flash. That is why many devs still used Shockwave.
Surprised? Pay more attention to the featureset next time, yea?
Parent
Re:Flashblock (Score:5, Interesting)
I'm surprised that anybody's surprised that a new Adobe exploit has surfaced, They seem to have surpassed Microsoft in their zeal to get your PC infected; Microsoft seems to hava actually been getting better in the last couple of years. Or Microsoft seems to at least be trying. Adobe doesn't seem to care.
Parent
Re:Flashblock (Score:5, Insightful)
They seem to have surpassed Microsoft in their zeal to get your PC infected...
And considering that they have more marketshare than Microsoft, they can actually pull it off.
Parent
Re:Flashblock (Score:5, Informative)
Being a Director developer, there are some things Director can do that Flash can't:
Control embedded PDF files
Manipulate bitmaps
Create 3D scenes with physics
Make network calls through proxy servers
Access/Modify system resources
Wider range of media support
Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.
Parent
Re:Flashblock (Score:5, Insightful)
Being a Director developer, there are some things Director can do that Flash can't:
Make network calls through proxy servers
Access/Modify system resources
Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.
This may be nice for a developer, but for a user, this is really scary.
Parent
Re: (Score:3, Insightful)
Flashblock puts a placeholder in front of Flash, Shockwave, Authorware, Java, and Sliverlight.
But there's already a patch (Score:2, Insightful)
As there are over a billion computers with Windows vulnerabilities and countless other "at risk" applications that get patched regularly this doesn't sound like a situation all that out of the ordinary. And as with Windows some users will update and some will remain at risk.
no MSI installer yet (Score:2, Informative)
As of posting, there's no MSI installer for the new version yet, and the .exe installer doesn't seem to support silent installs.
http://www.appdeploy.com/packages/detail.asp?id=1438 [appdeploy.com]
Re: (Score:2)
Big deal. Wrap it in an AutoHotKey script, make it invis, whatever you want. Admins who wait for MSIs are pretty lazy or dont know scripting.
Re: (Score:2)
FTFY.
Re:no MSI installer yet (Score:5, Informative)
So? This isn't Flash. You don't need it to visit 95% of the web. You hardly ever need it – I didn't even have it installed.
Check the add-ons; if you don't have "Shockwave for Director", it isn't even installed. "Shockwave Flash" is the flash player (not Shockwave).
Parent
Hard to care anymore (Score:5, Interesting)
I find it harder and harder to really give a shit anymore. All of our systems (linux, Windows ,OSX) all have various automatic patching schemes. Once the vendor gets around to fixing their crap (Adobe in this case) we'll ingest the patch and move on.
Once upon a time I monitored the various security announcement lists but ultimately it didn't matter. Most of this crap has become mission critical so turning it off isn't an option, fixing it yourself is rarely and option so you're left with wait and patch solution.
I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues.
Re:Hard to care anymore (Score:5, Insightful)
As a dev, autoupdates are evil. It's great if the updates don't change the behavior of whatever is being updated, but it sucks ass when those updates break or as MS is so fond of, remove functionality.
I've spent the last two months straight dealing work arounds for MS patches that have done this and are rolled out across 15k machines overnight.
Autoupdates are dangerous things. You get unexpected changes with no apparent reason. You have become the beta tester for software companies, and it's become accepted since they will patch it later. Hell, video game consoles are now rolling out buggy games sooner than they should because they can 'patch them later'
how about we up our standards a luittle instead and start requiring better engineering instead of treating updates as acceptable and normal
Parent
Re: (Score:2)
I started to clarify in my initial post but didn't feel like it. We don't *autopatch* anything. We apply applicable patches after testing.
It doesn't change the initial point about not really stressing about announced vulnerabilities. Nothing I can do till they get around to patching it, at which point we'll test and release, though not in this case since we blessedly have no shockwave reqs.
the joy of learned helplessness (Score:2)
Would you believe, that's the second biggest rootkit I've ever seen?
Pretty much where I'm at while I continue to throw good coin at my local robocall entitlement company and diligently recycle dead trees hand delivered by my local robomail entitlement crown corp. There used to be a number of disposable single blade razors that worked well for me, all since driven out of the market. Now I lease my triple-blade manho
If you get an error installing Shockwave... (Score:4, Informative)
If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.
To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.
Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.
Alternatively you can save a copy of the edited boot.ini, set the attribs to +r +a +s +h, and rename as necessary in case (read: when) you need to disable DEP again in the future.
I figure a lot of users are going to have this problem (again), as Adobe still hasn't fixed this bug.
Re:If you get an error installing Shockwave... (Score:4, Informative)
If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.
Parent
Re:If you get an error installing Shockwave... (Score:5, Informative)
Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?
If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.
To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.
Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.
Parent
Re: (Score:2, Informative)
Been there done that, and DEP status doesn't change unless a reboot happens. And if you've got DEP set to optin in boot.ini, it'll always re-enable itself. Yes, there are other ways to change it, but I always preferred to go directly to the root.
Re:If you get an error installing Shockwave... (Score:4, Informative)
And I want to run an application that executes in its data area why?
It would be different if the installer intentionally used some sort of self modifying code system.
But the only possible explanation for why a Shockwave updater fails to run with DEP enabled, is that at least one of its threads is doing some sort of buffer overrun and running off into the woods. It just usually doesn't break things bad enough to make the installation fail, unless DEP actually stops the thread.
Not exactly the type of program I want to be running on my computer.
Parent
Re: (Score:2)
Sophos AV's heuristics scanning (HIPS) goes mental when you try and install Shockwave; it gets flagged as suspicious behaviour and a buffer overrun risk (Incidentally, Adobe Reader is the same).
Holy crap! When did linux get here? (Score:2)
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.
If I hadn't looked closely I would have assumed this was a relatively painless set of steps an end user would nee
Re: (Score:2)
I have no C:, you insensitive clod!
(I have a root though.)
Re: (Score:2)
If you have WINE, you could use "Z:"... :)
Government not using Shockwave... ? (Score:2)
Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.
Adobe is pushing for Flash and PDF... not Shockwave and PDF...
Re: (Score:2)
So? It's still ridiculous to use it on such a site.
Re: (Score:2)
Are their FOSS alternatives to Flash and Shockwave (Score:2, Interesting)
1) Are there FOSS alternatives to Flash and/or Shockwave?
2) Why(not)?
3) If there was, would it help reduce problems like this?
Please don't mod me as trolling for asking questions!
Re: (Score:3, Informative)
Google Gnash and Swfdec; they're coming along nicely, but aren't 100% replacements as of yet.
Re: (Score:2)
Thanks, i've added those to my Del.ico.us for later investigation. :)
Re: (Score:3, Informative)
1. Yes/no.
2. See above. Nobody cares about Shockwave, though.
3. Yes.
It's called Gnash. See http://www.gnu.org/software/gnash/ [gnu.org]
There's also a few others, such as http://swfdec.freedesktop.org/wiki/ [freedesktop.org] . Gnash is probably better.
Re: (Score:3, Interesting)
2. See above. Nobody cares about Shockwave, though.
Nay, say I and the (many) school districts who visit shockwave-only educational sites. Not having Shockwave Director available on Linux has cost me clients. Talk about a slap in the face for trying to give schools a break by using good software, because they are too attached to bad software..
Simlpe dont use any adobe products (Score:3, Funny)
I just dont use adobe products anymore, either flash, or shockwave, are too seriously integrated into our pcs, that when the day comes that skynet is self aware, that will be the first application it looks to to take over all pcs around the world....have we not learned anything from terminator?
Here are the shockwave stats - could be a problem (Score:5, Informative)
Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):
Not installed => 67.54%
11,0,0,0 => 2.86%
10,2,0,0 => 2.84%
10,1,0,0 => 2.59%
11,0,0,465 => 2.41%
11,5,0,0 => 2.05%
11,5,1,601 => 1.90%
8,5,1,0 => 1.75%
10,1,4,0 => 1.73%
11,0,0,429 => 1.58%
11,0,3,472 => 1.56%
10,1,1,0 => 1.53%
11,5,0,596 => 1.46%
11,5,0,600 => 1.38%
11,0,3,471 => 1.35%
11,5,0,595 => 1.21%
11,0,0,458 => 0.93%
10,3,0,0 => 0.78%
11,0,3,470 => 0.66%
8,0,0,0 => 0.43%
10,1,3,0 => 0.37%
8,5,0,0 => 0.32%
11,0,3,0 => 0.23%
10,0,0,0 => 0.16%
10,0,1,0 => 0.11%
7,0,0,0 => 0.10%
11,5,1,0 => 0.08%
10,4,0,0 => 0.04%
6,0,0,0 => 0.03%
What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.
I will publish a more in-depth report later today here: http://www.statowl.com/ [statowl.com] in the plugin section [statowl.com]. I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....
Re:Let's Clear the Confusion off the bat (Score:5, Funny)
First dupe articles, now dupe posts! [slashdot.org]
Parent
Re:Remind a noob... (Score:5, Informative)
What's the difference between Shockwave and Flash?
Or are they the same thing? If so, why two names for it?
You're welcome. [adobe.com]
Parent
Re: (Score:2)
I still don't get why they have two of these? Oh, I remember the Macromedia buyouts. I don't think I have Shockwave installed. I didn't think it was being used anymore.
Even Adobe can't explain Shockwave properly. (Score:5, Informative)
Even Adobe can't explain Shockwave properly.
Shockwave is a real 3D system usable as a decent game engine. At one time, it even had the Havok physics engine, but Adobe didn't keep up the payments and had to take that out. Try BMX Street Rider [swgamers.com], which is a reasonably decent free-play game in a modest sized city. It's way ahead of the proposed hacks for doing 3D with Javascript.
What killed Shockwave for trivial applications is "LOADING..." problems. Flash can start before all the content has been loaded, because Flash has two interleaved streams, a timeline and assets. As soon as you have enough assets for the stuff needed by the timeline so far, Flash can go. So you can write Flash that starts fast and loads assets in the background.
Parent
Re: (Score:3, Informative)
NO. Shockwave is Director content compressed for playback over the internet. Director supports xtras, much like Potoshop supports plugins. One of those plugins is a 3D environment, Flash is another. Director is a timeline based bitmap, text, video and vector animation tool with an object oriented scripting language in verbose, dot and javascript syntaxes. Director content can be played back in a standalone disk based app or through a browser that has the Shockwave plugin installed.
Director content can
Re: (Score:3, Funny)
Sex? Cars? Come on, I'm sure we can think of something.
Re: (Score:2)
Sex in cars? Sexy cars? Car-on-car sex?
The possibilities are a bit limited if you only give us two options.
Re:Government (Score:5, Informative)
> Is he worried the gov will abuse this hole?
No. He's worried that that the government is going to make their data inaccessible to anyone who doesn't install a useless piece if junk that would make their computer insecure.
Parent
Re: user stupidity (Score:2)
It is much easier to patch 700 million PCs than it is to make stupid people smarter.
And we're clearly not doing such a good job of patching 700 million PCs.
Re:Just in case... (Score:5, Informative)
I did too – then I realized that I didn't have Shockwave in the first place. I had Flash, which is different. Now I'm considering uninstalling Shockwave again, because I didn't need it before and I don't expect to need it in the future.
Are you sure you had it to begin with?
"Shockwave Flash" is Flash (plays .swf files). "Shockwave for Director" is Shockwave (uses .dcr files).
Yes, it's confusing. You can thank Adobe for that.
Parent
Re: (Score:2)
***I'm a Linux user, you insensitive clod!***
Well, maybe Shockwave will run in WINE. Or VMplayer, vbox, or qemu. There must be 50 ways to get your Linux PC infected with Windows malware if you'd just try.