ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Critical Adobe Shockwave flaw affects millions

By | June 24, 2009, 9:41am PDT

Summary: Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker. The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory: This vulnerability could allow an attacker who successfully exploits this vulnerability to take control [...]

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system.  Adobe has provided a solution for the reported vulnerability (CVE-2009-1860).  This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content.  To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/.  This issue is remotely exploitable.

Adobe boasts that 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Shockwave, Shockwave Player, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
105
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Critical Adobe Shockwave flaw affects millions
lovedong 12th Sep
Thanks!Good luck to you as well. grin chanel bags
View in thread
0 Votes
+ -
Another
Erroneous 24th Jun 2009
It seems everytime I turn around now Adobe is having a critical flaw in one program or another. If it weren't for PDF files I think even acrobat would be gone.
0 Votes
+ -
Adobe updates
ptcruiser70663 24th Jun 2009
I'd be happy if I could get an Adobe update that would install instead of just trying and failing over and over. Sabbotage at the home of Photoshop?
0 Votes
+ -
I've never had an Adobe update fail on me
Lerianis10 1st Jul 2009
Unless the installation stuff in the registry has gotten 'hosed' by something. If you are having that problem, might not be the updates problem but something fooling with registry entries to MAKE THE UPDATE FAIL!
0 Votes
+ -
RE: Critical Adobe Shockwave flaw affects millions
lovedong 12th Sep
That is good.Thank you so much. chanel bags
0 Votes
+ -
RE: Critical Adobe Shockwave flaw affects millions
lovedong 12th Sep
Thanks!Good luck to you as well. grin chanel bags
0 Votes
+ -
Windows Update...
JoeMama_z 24th Jun 2009
Microsoft should be working with Adobe to get this crap patched via Windows Update.

No it isn't their responsibility, but neither is providing FreeAV. They should do it because it makes Windows Easier to admin and more secure.

As Windows becomes a more secure product, malware writers are taking advantage of common 3rd party software such as Acrobat, iTunes/QT, even AV. As an admin for small biz, rolling out patches is easy if it's a Microsoft product; It's automated and audit able, if its Acrobat it's hours of manual labor!

If the current trend continues (3rd party exploitation) all the work Microsoft has put forth since XP SP2 will be for not, as malware writers simply side step OS exploits and move onto application exploits. Offering Windows Update as a universal repo/updating service seems to be the only prudent solution.
0 Votes
+ -
It can be done
mswift@... 24th Jun 2009
For a fee, big to me, but small for a large company, you can have your software included in Windows Update. IIRC it is less than the cost of maintaining your own update servers.
0 Votes
+ -
You're kidding..
Cravon 24th Jun 2009
Microsoft is not responsible for every piece of software on the market. Nor should they be responsible for the patching process of a competitors product.
For the record, Adobe could get their patch distributed through Windows Update if they go through the process to do so.
Enough of the 'All bad things are Microsoft's fault'. It's getting really old. They aren't the bad guys, it's the uneducated/misinformed pundits that are the problem.
0 Votes
+ -
I addressed this in my origional post...
JoeMama_z 24th Jun 2009
I agree, not Microsoft's fault.

If Adobe/other can distribute updates through Windows Update, they should. Microsoft should make this very veeeeeeery accessible to 3rd parties.

The fact of the matter is that these flaw can and will damage the supporting operating system, and end users aren't going to care or investigate what caused the issue. They'll just think poorly of Windows, not a desirable outcome for Microsoft.

The same reasoning behind ESE AV applies to what I've proposed.

I also agree that ignorant users are the underlying problem with desktop security, but simply blaming them and calling it a day didn't fly with XP, I doubt it will fly in this case either.
0 Votes
+ -
This system works for Linux
pfyearwood 30th Jun 2009
Nearly every Linux distribution handles ALL updates for security issues with the software applications used. At least the distros I have used. Can't say all do since I have not used all. For now, I dual boot with XP and Mint. Last night I clicked on MintUpdate and got all the latest updates. No hassle. With XP Pro, all I get is Windows updates automatically and for my A/V. And lots of exploit warnings from ZDNet.

Paul
It's an Operating System, not a religion.
0 Votes
+ -
What! you mean do it the Linux way?!?!?!?!
PCLinuxOS(user) 24th Jun 2009
nt
0 Votes
+ -
hopefully better...
JoeMama_z 24th Jun 2009
but sure. That's one area of the Linux desktop I have no problem saying is better.

Granted the way most Linux distro's implement it I don't really care for, but the idea is pretty solid.
0 Votes
+ -
Linux Updates (Re: Linux Mint)
Joe.Smetona Updated - 30th Jun 2009
The Update Manager will check for and provide
updates to the OS and all the installed programs
(Open Source) by typing in the password and
clicking the install button. Updates are
available almost immediately and generally 4-5
program (non-critical) updates surface every
couple of days.

Non-open source programs are dependent on
updates from the respective company and may take
longer. The Open Source "Community" produces
updates very quickly compared to MS and other
proprietary companies like Adobe.

Dual boot instructions:

http://talkback.zdnet.com/5208-12554-0.html?
forumID=1&threadID=65771&messageID=1234408
0 Votes
+ -
To whit Microsoft replies...
ReadWryt (error) 25th Jun 2009
...we already deployed an update to Shockwave, it's called Silverlight. Bahaha! Wait, maybe if Adobe sues Microsoft on the grounds that including Silverlight in Windows 7 is anti-competitive and detrimental to Shockwave's market share, they might capitulate. It seems to be the trend you know...
0 Votes
+ -
It's detrimental
AzuMao Updated - 26th Jun 2009
To the internet as a whole... just not quite as
much so as ActiveX.
0 Votes
+ -
I agree with you;
AzuMao 30th Jun 2009
Microsoft should copy *nix again. If they used the *nix update system that has existed for almost a decade, problems like this wouldn't occur. There wouldn't be all these out of date programs getting hacked.
0 Votes
+ -
So much for "quarterly updates"
honeymonster 24th Jun 2009
This one is going to need an out-of-cycle patch.
0 Votes
+ -
Contributr
Quarterly patches
Ryan Naraine 24th Jun 2009
The quarterly patch cycle only applies to Adobe Reader and Acrobat. Adobe said up front it won't apply to any other software products (Flash, Shockwave, etc.)

_r
0 Votes
+ -
My bad then
honeymonster 25th Jun 2009
thanks for correcting. Anyway, I'm just glad they patch this one. Seems nasty.
0 Votes
+ -
I had to look at the side of a milk cartoon to remember what Shockwave was
maskman01 24th Jun 2009
Maybe Adobe is suffering from the same thing.
0 Votes
+ -
Help me out here.
Timewellwasted Updated - 24th Jun 2009
Are you saying Shockwave has become so integrated that you don't even realize how often it is used or have you made a different flash player the default? I'm asking only because the average user does not realize how many .ocx files they see a day. Or are you saying you have disabled Flash files all together?

EDIT: I was in grave error with the Shockwave/Flash mix-up in the above statement, I would change it but maybe someone else may read it and the reply and be confused.
Shockwave files ARE NOT FLASH FILES!
0 Votes
+ -
No Shockwave here
Alzie 24th Jun 2009
I just went to the Adobe site to check. I have Flash, I do not have Shockwave.

Funny thing is I don't get any "you need Shockwave" notices on the web.
0 Votes
+ -
SMACK!
Timewellwasted 24th Jun 2009
That was the sound of me smacking my forehead...
And not in awe of you not knowing the difference...
But rather in a AH HA moment! You set off the alarm bells for me with your statement. Adobe makes both Shockwave Player and Flash Player but they are not the same thing. My bad..
Shockwave files are not as common as Flash files and I was in error in my previous question! Thanks for replying, that was an oops moment!
0 Votes
+ -
On some game sites...
Greenknight_z 25th Jun 2009
...you may encounter Shockwave games. Not as common as Flash, and it's not used for regular Web content.
0 Votes
+ -
You ARE correct. Shockwave files are not from FLASH IDE...
sstevens2006 25th Jun 2009
They are from Director, a Macromedia(now Adobe) product whose popularity has waned in recent years. Director is currently at version 11.5, haven't used it since 8.0.

Even tho it has a very similar interface to Flash, Flash+ActionScript has pretty much replaced it and its dead programming language Lingo. Kinda like Latin now, I guess?

Director's greatest downfall was that it worked primarily with raster/bitmap images, where Flash works and creates vector art for a huge file saving.

Director is on death row because of that, and the huge file sizes it used to create. Fine for CD-Rom distribution, but too big for the web.
0 Votes
+ -
RE: Critical Adobe Shockwave flaw affects millions
baumgrenze 24th Jun 2009
I wish that providers of software like Shockwave could settle on an update protocol that is universal. Failing that, they should make clear just what they expect of users. Sometimes it is critical that we uninstall the previous version before we use the "Agree and install now" option on a web page. Sometimes the update is smart enough to uninstall the old version before installing the new. Sometimes the old directory is retained for at least one past version and a new subdirectory is created for the latest and greatest. This sometimes raises hob with folks like Secunia who help us ordinary mortals keep our machines clean. Am I alone in my irritation regarding updates?

baumgrenze
0 Votes
+ -
RE: Critical Adobe Shockwave flaw affects millions
MowGreen 24th Jun 2009
Be wary when installing this SECURITY update in Firefox [Shockwave_Installer_Slim.exe] as the Google Toolbar will be PRE-checked to install along with the latest Shockwave Player.
0 Votes
+ -
Flash insecurity, so what else is new?
Spiritusindomit@... 24th Jun 2009
Large reason I don't use it.
0 Votes
+ -
Shockwave insecurity this time, actually.
AzuMao 26th Jun 2009
They are both Adobe's products, but they aren't
interchangable.
0 Votes
+ -
How about how do you determine what version you have ?
sgmunson 24th Jun 2009
I saw no information in the article itself to help anyone determine if they have the affected version, although I haven't looked at the Adobe site for that info and probably should. It would likely save me a lot of work trying to find out. Come on ZDNet folks, make the articles truly useful, please...

Steve
0 Votes
+ -
Adobe spread to thin
webstalkers@... 24th Jun 2009
Adobe is doing the same thing MS does, to many products, rush releases and not enough resources. If they want to stay away from the black cloud MS has cast over it they need to SLOW down and CONCENTRATE. They make great products but are getting sloppy.
0 Votes
+ -
Same thing every popular Software is doing.
Timewellwasted 24th Jun 2009
I agree with you, completely. Adobe, MS, Apple, Ubuntu, Cisco, Red Hat and Apache all have seemed to have done the same thing. Move forward with less regard for security than in the past. I'm wondering if it has become more economically feasible to allow "3rd party" researchers, (hackers for lack of a better word) to find more obscure security crack and flaws, than to do the work themselves? They make them public, the manufacturers provide a patch.
Just a thought..
0 Votes
+ -
Not necessarily.
AzuMao 26th Jun 2009
The black-hat ones aren't going to spam them all
over the place, they are going to use them in
discrete ways, since they spent a lot of time
finding them and don't want them patched..
0 Votes
+ -
RE: Adobe spread too thin
X-Doomer 25th Jun 2009
Sure sure, let's all blame MS again. Now that
they're doing a good job at shutting up the
complainers and boycotters' of those that
continued to make their OS better (Windows 7
passes MAC OS now). Linux is still DOS with a
shell with their own little toy apps and server
tools but nothing for the real ******** users
that need a computer to work with. I say MS is
defending itself much better and now the
destroyers (hackers, virus and malware writers)
will now have to attack app writers that have
been taken for granted. Next, I wish that MAC
and Linux will be hit for their complacency and
lack of vigilance.
Have you noticed that as soon as you're
successful and people buy your product there
are jealous people that try to destroy your
great work? I have.
Jealousy drives their passion to destroy.
Imagine if their efforts were put to good use
instead, you might just have an OS that is
great. Oh wait they'd be afraid that other
jealous people would do the same to theirs!!!
DOH!
0 Votes
+ -
Agreed.
AzuMao 26th Jun 2009
If they start throwing Q.C. out the window like MS
has they're going to be getting a lot of
hate their way.
0 Votes
+ -
Shockwave vs. Flash -- can someone explain the difference?
Vesicant 24th Jun 2009
Adobe's website is useless to anyone trying to figure out what the difference is between Shockwave and Flash.
0 Votes
+ -
The difference
Greenknight_z 25th Jun 2009
Both are multimedia apps, but Shockwave is used almost exclusively for games these days. Shockwave content is slower to load, but can be more elaborate. For more details, see: http://www.howstuffworks.com/web-animation6.htm
0 Votes
+ -
Right in one
Lerianis10 1st Jul 2009
Flash is used for things like online video.
Shockwave is used for things like games, that have TONS of different things that 'change' in them.
0 Votes
+ -
because there are still siblings.
magallanes 25th Jun 2009
In fact, you still can find that flash is referenced as Macromedia Shockwave flash component.

:-/

0 Votes
+ -
Because flash was originally a subset of it.
AzuMao 26th Jun 2009
They are not the same thing though. They install separately, they uninstall separately, they play
different types of files, and have different
vulnerabilities.
0 Votes
+ -
"a backwards compatibility mode variation"
David Hamilton 24th Jun 2009
Do they speak English? Jeez!!

They're all English words, but not combined in any useful
form....
0 Votes
+ -
I think he meant
AzuMao 26th Jun 2009
The part of it meant to play old files.
0 Votes
+ -
Ryan, more info about this issue?
JoeMama_z 24th Jun 2009
Does IE8 w/UAC and LPU sandboxing on Vista/7 mitigate the issue, or does shockwave somehow bypass these protections.
0 Votes
+ -
RE: Critical Adobe Shockwave flaw affects millions
Ebsan 24th Jun 2009
Haha, that's exactly what I thought when I read that. What a goof
0 Votes
+ -
hope it installs better than last Reader update
Jim Johnson 24th Jun 2009
I have tried everything, including uninstalling Reader, rebooting and reinstalling Reader, and the last update still fails with a Data Execution Protection (DEP) failure on my AMD dual core notebook running Vista 32bit Ultimate. I even tried logging in as THE Administrator (normally a hidden account).

Sure hope THIS update works.
0 Votes
+ -
PDF xchange
JoeMama_z 24th Jun 2009
Tiny little PDF reader, great features, free, and not Acrobat.
0 Votes
+ -
Get used to it.
AzuMao 26th Jun 2009
It's impossible even to update a little browser
extension on windows without giving it UAC and
admin privileges. That's just the way things are
in the windows world.
0 Votes
+ -
Linux not affected (probably)
onetwothreemike 24th Jun 2009
Right? rriigghhtt?

right!
0 Votes
+ -
RE: Linux not affected (probably)
X-Doomer 25th Jun 2009
Who cares about the penguin that nobody uses
for work!
Don't worry Linux's turn will come soon enough.
Then we'll all see that it's not all that it's
cracked up to be!
I'm sure there are plenty of holes in it, but
as it's not on that many home or work machines
it is not even considered worth attacking.
That or that the attackers are the Linux
writers in the first place! Just a thought!

0 Votes
+ -
Uh-huh
AzuMao 25th Jun 2009
Right.. because it's not like most of the internet
is ran by *nix machines or anything like that,
right?

[/sarcasm]

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix