madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Critical Adobe Shockwave flaw affects millions

By | June 24, 2009, 9:41am PDT

Summary: Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker. The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory: This vulnerability could allow an attacker who successfully exploits this vulnerability to take control [...]

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system.  Adobe has provided a solution for the reported vulnerability (CVE-2009-1860).  This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content.  To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/.  This issue is remotely exploitable.

Adobe boasts that 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Shockwave, Shockwave Player, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 105 Talkback(s)

  • Another
    It seems everytime I turn around now Adobe is having a critical flaw in one program or another. If it weren't for PDF files I think even acrobat would be gone.
    ZDNet Gravatar
    Erroneous
    24th Jun 2009
  • Adobe updates
    I'd be happy if I could get an Adobe update that would install instead of just trying and failing over and over. Sabbotage at the home of Photoshop?
    ZDNet Gravatar
    ptcruiser70663
    24th Jun 2009
  • I've never had an Adobe update fail on me
    Unless the installation stuff in the registry has gotten 'hosed' by something. If you are having that problem, might not be the updates problem but something fooling with registry entries to MAKE THE UPDATE FAIL!
    ZDNet Gravatar
    Lerianis10
    1st Jul 2009
  • RE: Critical Adobe Shockwave flaw affects millions
    That is good.Thank you so much. chanel bags
    ZDNet Gravatar
    lovedong
    12th Sep
  • RE: Critical Adobe Shockwave flaw affects millions
    Thanks!Good luck to you as well. grin chanel bags
    ZDNet Gravatar
    lovedong
    12th Sep
  • Windows Update...
    Microsoft should be working with Adobe to get this crap patched via Windows Update.

    No it isn't their responsibility, but neither is providing FreeAV. They should do it because it makes Windows Easier to admin and more secure.

    As Windows becomes a more secure product, malware writers are taking advantage of common 3rd party software such as Acrobat, iTunes/QT, even AV. As an admin for small biz, rolling out patches is easy if it's a Microsoft product; It's automated and audit able, if its Acrobat it's hours of manual labor!

    If the current trend continues (3rd party exploitation) all the work Microsoft has put forth since XP SP2 will be for not, as malware writers simply side step OS exploits and move onto application exploits. Offering Windows Update as a universal repo/updating service seems to be the only prudent solution.
    ZDNet Gravatar
    JoeMama_z
    24th Jun 2009
  • It can be done
    For a fee, big to me, but small for a large company, you can have your software included in Windows Update. IIRC it is less than the cost of maintaining your own update servers.
    ZDNet Gravatar
    mswift@...
    24th Jun 2009
  • You're kidding..
    Microsoft is not responsible for every piece of software on the market. Nor should they be responsible for the patching process of a competitors product.
    For the record, Adobe could get their patch distributed through Windows Update if they go through the process to do so.
    Enough of the 'All bad things are Microsoft's fault'. It's getting really old. They aren't the bad guys, it's the uneducated/misinformed pundits that are the problem.
    ZDNet Gravatar
    Cravon
    24th Jun 2009
  • I addressed this in my origional post...
    I agree, not Microsoft's fault.

    If Adobe/other can distribute updates through Windows Update, they should. Microsoft should make this very veeeeeeery accessible to 3rd parties.

    The fact of the matter is that these flaw can and will damage the supporting operating system, and end users aren't going to care or investigate what caused the issue. They'll just think poorly of Windows, not a desirable outcome for Microsoft.

    The same reasoning behind ESE AV applies to what I've proposed.

    I also agree that ignorant users are the underlying problem with desktop security, but simply blaming them and calling it a day didn't fly with XP, I doubt it will fly in this case either.
    ZDNet Gravatar
    JoeMama_z
    24th Jun 2009
  • This system works for Linux
    Nearly every Linux distribution handles ALL updates for security issues with the software applications used. At least the distros I have used. Can't say all do since I have not used all. For now, I dual boot with XP and Mint. Last night I clicked on MintUpdate and got all the latest updates. No hassle. With XP Pro, all I get is Windows updates automatically and for my A/V. And lots of exploit warnings from ZDNet.

    Paul
    It's an Operating System, not a religion.
    ZDNet Gravatar
    pfyearwood
    30th Jun 2009
  • What! you mean do it the Linux way?!?!?!?!
    nt
    ZDNet Gravatar
    PCLinuxOS(user)
    24th Jun 2009
  • hopefully better...
    but sure. That's one area of the Linux desktop I have no problem saying is better.

    Granted the way most Linux distro's implement it I don't really care for, but the idea is pretty solid.
    ZDNet Gravatar
    JoeMama_z
    24th Jun 2009
  • Linux Updates (Re: Linux Mint)
    The Update Manager will check for and provide
    updates to the OS and all the installed programs
    (Open Source) by typing in the password and
    clicking the install button. Updates are
    available almost immediately and generally 4-5
    program (non-critical) updates surface every
    couple of days.

    Non-open source programs are dependent on
    updates from the respective company and may take
    longer. The Open Source "Community" produces
    updates very quickly compared to MS and other
    proprietary companies like Adobe.

    Dual boot instructions:

    http://talkback.zdnet.com/5208-12554-0.html?
    forumID=1&threadID=65771&messageID=1234408
    ZDNet Gravatar
    Joe.Smetona
    30th Jun 2009
  • To whit Microsoft replies...
    ...we already deployed an update to Shockwave, it's called Silverlight. Bahaha! Wait, maybe if Adobe sues Microsoft on the grounds that including Silverlight in Windows 7 is anti-competitive and detrimental to Shockwave's market share, they might capitulate. It seems to be the trend you know...
    ZDNet Gravatar
    ReadWryt (error)
    25th Jun 2009
  • It's detrimental
    To the internet as a whole... just not quite as
    much so as ActiveX.
    ZDNet Gravatar
    AzuMao
    26th Jun 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here