ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Adobe Shockwave haunted by critical security holes

By | November 3, 2009, 12:12pm PST

Summary: Adobe today released a patch to fix several serious security flaws in its Shockwave Player software. The most serious flaw could allow remote code execution attacks against Windows and Mac users.

Adobe today released a patch to fix several serious security flaws in its Shockwave Player software.

The update, which is rated “critical,” addresses a total of five documented vulnerabilities.  The most serious flaw could allow remote code execution attacks against Windows and Mac users.
From Adobe’s bulletin:

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.1.601 and earlier versions. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations using the instructions provided below.

The update applies to Shockwave Player 11.5.1.601 and earlier versions.  Adobe’s patch can be downloaded here.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Shockwave, Vulnerability, Shockwave Player, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
26
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Adobe Shockwave haunted by critical security holes
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
> Adobe Shockwave haunted by critical security holes
the_fiddler_on_the_roof 3rd Nov 2009
Should Adobe rename parts of their software suite (not only this one) as Shockware? wink The simple justification is that it was shocking to the vendor.
On one of my machines (with all security software up to date and running in the background), visiting msnbc.com causes IE8 to crash on Windows Server 2008 64-bit. Other sites work fine. The stack trace points to Shockwave.
Adobe Shockwave, Flash and Reader are 32-bit only bloatware, full of holes, slow like Windows Vista on a Pentium 100MHz with 4MB of RAM. Searching for a text phrase in Reader is probably code implemented 10 years ago and untouched since then. "Find" taking 30 seconds to go through 600-page ebook? Is the Adobe Reader team stuck with IBM PC Jr machines to do their work or what?
0 Votes
+ -
Shockware would be no different than let me say Active X.
Intellihence 3rd Nov 2009
I've seen the trend lately with all software. Everything IS Inherently
dangerous.

I'll tone down & add more to discussions , only If, & only if, others tone
down also. You know who I mean people?!
0 Votes
+ -
Oh there's another 'winner' right there...
Wintel BSOD 3rd Nov 2009
ActiveX, the malware injector of the decade.
0 Votes
+ -
Wow
AzuMao Updated - 3rd Nov 2009
More security problems from Adobe.

Who the **** would've guessed?

I've had just about enough of them. Hopefully
when all
browsers support HTML5 with the canvas element
there
will be no more need for their products.

Adobe Acrobat has been replaced by Foxit.
Adobe Photoshop has been replaced by GIMP.

All that's left to go are their browser plugins!



Edit: whoops, nevermind. False alarm. Only
affects Windows and Mac. All is well for people
using decent OSs. happy
0 Votes
+ -
You sir are a card of the same deck.
Intellihence 3rd Nov 2009
I've been called many things here, but I will tell you I love running as
much as I can with no difficulties.
0 Votes
+ -
It's all Apple's fault
Wintel BSOD 3rd Nov 2009
honeymonster will tell you.

wink
0 Votes
+ -
How does it feel hitting
Stan57 3rd Nov 2009
How does it feel hitting your head with a frying pan? Must feel great because you keep doing it,nothing changes no matter what ya say so keep smacking yourself in the head its just too funny lol. freetards, bunch of crying loosers,they actually think what they say means anything to anyone who uses computers AHAHAHAHHAH
0 Votes
+ -
Do you have problems reading?
AzuMao 4th Nov 2009
Only people using Windows or Mac are affected by
this. So I don't have anything to "cry" about, I'm
just laughing at the misfortune of the Windows/Mac
users.
0 Votes
+ -
Only people using Windows or Mac are affected
honeymonster 4th Nov 2009
because only people using Windows or Macs can
actually run Shockwave.

There is no Shockwave for Linux.

Great move by Linux there, limiting
vulnerabilities by offering only limited and
sub-standard software. Keep up the good work.

Now scurry back and troubleshoot your WiFi and
audio. While your at it, maybe you can
contribute some fixes for those nasty null-
pointer vulnerabilities which seems to exist in
abundance in Linux?
  • Flagged
0 Votes
+ -
Re. There is no Shockwave.
Bilmekanikeren 4th Nov 2009
You are quite right. In general there is very little garbageware like Shockwave and some other things I can think of for Linux. This is a good thing (tm)
0 Votes
+ -
Didn't take you long...
Wintel BSOD 4th Nov 2009
to troll about Apple, now did you...

lol...
0 Votes
+ -
Apple?
honeymonster 4th Nov 2009
Didn't take you long to troll about Apple, now
did you...

Explain, please?
0 Votes
+ -
Explanation
AzuMao 5th Nov 2009
Apple pie LOL!

Look at the triangulation of the bird and
pyramids.
0 Votes
+ -
If you don't know by now...
Wintel BSOD 5th Nov 2009
...why you were asked that, then there's no hope for you.

Or you're just playing dumb.

Which is it? wink
0 Votes
+ -
Do you have any point whatsoever?
AzuMao Updated - 4th Nov 2009
You've mentioned a big plus of Linux (that it is
not afflicted by Shockwave) but I already
mentioned it. What is the point of repeating me?
If you agreed with my post, you could have simply
replied with "Agreed n/t" in the subject and "nt"
in the body, so that people wouldn't waste their
time clicking on your post.
0 Votes
+ -
Yes, a big plus for Linux is that it has
honeymonster Updated - 5th Nov 2009
only very limited application offerings, and
those which are there are sub-standard.

Even though Shockwave may have vulnerabilities,
there are those who actually considers it
useful. It is about choice, you see.

But on Linux you don't have choice. You have to
put up with far fewer choices and often sub-
standard alternatives. Think OpenOffice.

Even if I wanted shockwave on my Linux box, and
accepted the risk, I couldn't do it.
0 Votes
+ -
Bzzzt, try again.
AzuMao 5th Nov 2009
You're free to run it in a sandbox like WINE or
Cedega, in which case it can't do any damage to
the system if it is exploited.

It just won't run natively.
0 Votes
+ -
Bzzzt. Try again
honeymonster 5th Nov 2009
I suppose you successfully installed Shockwave
on Linux on Wine?

Liar.

http://www.bing.com/search?
q=shockwave+wine&src=IE-SearchBox&FORM=IE8SRC

and

http://www.google.dk/search?
hl=da&source=hp&q=shockwave+Wine&btnG=Google-
s%C3%B8gning&meta=&aq=0&oq=

Read and weep.

Shockwave can only run inside a browser
through wine or some other emulation layer.
With thoroughly abysmal experience.

And if you should succeed against those tough
odds, you are just as vulnerable as the
Windows/Mac counterparts.

But thanks for playing.

Bzzzzt.
0 Votes
+ -
I would disagree!
vilppuu@... 6th Nov 2009
Linux is about choice, there are numerous interesting programs for
doing a lot of different kinds of work. Open Office cuts me better PDFs
from doc files than anything else around, Audacity is good for moving
those cassettes over to digital, and there is a wide choice of Web
authoring software. There is also Kstars and numerous other special
interest programs. The only drawback I have found is that I have
customized Photoshop7 to do a lot of things that at this point in time
cannot be done with Gimp.
Linux is not yet "mainstream" plug and play, and it is still helpful when
using it, to know how to use terminal and command lines. One thing
that has definitely improved is getting specific "how to" information in
HTML format rather than dried reissues of "man" pages.
However, Linux is free and it offers a lot of free choices, many many
more than any other OS.

0 Votes
+ -
Honeymonster, do you even know what Shockwave is?
AzuMao 6th Nov 2009
It's a browser plugin. So yes of course it's ran
in a browser. What's your point?
0 Votes
+ -
Dear Adobe...
Agnostic_OS 4th Nov 2009
Please put "Adobe security" in a Google search and just look at the cr*p your CUSTOMERS have been through.

Adobe's ability to deliver safe software is an oxymoron.
0 Votes
+ -
RE: Adobe Shockwave haunted by critical security holes
Rick_H Updated - 4th Nov 2009
WOW
0 Votes
+ -
RE: Adobe Shockwave haunted by critical security holes
anovelo 4th Nov 2009
Dear Adobe,
Thank you for making our software holes seem small these days compared to yours. Keep up the excellent work with keeping all the attention to your products.
Sincerely,
Every other software maker
0 Votes
+ -
Dear every other software maker,
AzuMao 4th Nov 2009
Thank you for your continued support and
understanding of our special needs.

Sincerely,
The Adobetards
0 Votes
+ -
RE: Adobe Shockwave haunted by critical security holes
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix