Critical Adobe Shockwave flaw affects millions

Critical Adobe Shockwave flaw affects millions

Summary: Adobe's Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.The flaw affects Adobe Shockwave Player 11.

SHARE:

Adobe's Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe's advisory:

This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system.  Adobe has provided a solution for the reported vulnerability (CVE-2009-1860).  This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content.  To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/.  This issue is remotely exploitable.

Adobe boasts that 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

Topics: Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

103 comments
Log in or register to join the discussion
  • Another

    It seems everytime I turn around now Adobe is having a critical flaw in one program or another. If it weren't for PDF files I think even acrobat would be gone.
    Erroneous
    • Adobe updates

      I'd be happy if I could get an Adobe update that would install instead of just trying and failing over and over. Sabbotage at the home of Photoshop?
      ptcruiser70663
      • I've never had an Adobe update fail on me

        Unless the installation stuff in the registry has gotten 'hosed' by something. If you are having that problem, might not be the updates problem but something fooling with registry entries to MAKE THE UPDATE FAIL!
        Lerianis10
  • Windows Update...

    Microsoft should be working with Adobe to get this crap patched via Windows Update.

    No it isn't their responsibility, but neither is providing FreeAV. They should do it because it makes Windows Easier to admin and more secure.

    As Windows becomes a more secure product, malware writers are taking advantage of common 3rd party software such as Acrobat, iTunes/QT, even AV. As an admin for small biz, rolling out patches is easy if it's a Microsoft product; It's automated and audit able, if its Acrobat it's hours of manual labor!

    If the current trend continues (3rd party exploitation) all the work Microsoft has put forth since XP SP2 will be for not, as malware writers simply side step OS exploits and move onto application exploits. Offering Windows Update as a universal repo/updating service seems to be the only prudent solution.
    JoeMama_z
    • It can be done

      For a fee, big to me, but small for a large company, you can have your software included in Windows Update. IIRC it is less than the cost of maintaining your own update servers.
      mswift@...
    • You're kidding..

      Microsoft is not responsible for every piece of software on the market. Nor should they be responsible for the patching process of a competitors product.
      For the record, Adobe could get their patch distributed through Windows Update if they go through the process to do so.
      Enough of the 'All bad things are Microsoft's fault'. It's getting really old. They aren't the bad guys, it's the uneducated/misinformed pundits that are the problem.
      Cravon
      • I addressed this in my origional post...

        I agree, not Microsoft's fault.

        If Adobe/other can distribute updates through Windows Update, they should. Microsoft should make this very veeeeeeery accessible to 3rd parties.

        The fact of the matter is that these flaw can and will damage the supporting operating system, and end users aren't going to care or investigate what caused the issue. They'll just think poorly of Windows, not a desirable outcome for Microsoft.

        The same reasoning behind ESE AV applies to what I've proposed.

        I also agree that ignorant users are the underlying problem with desktop security, but simply blaming them and calling it a day didn't fly with XP, I doubt it will fly in this case either.
        JoeMama_z
      • This system works for Linux

        Nearly every Linux distribution handles ALL updates for security issues with the software applications used. At least the distros I have used. Can't say all do since I have not used all. For now, I dual boot with XP and Mint. Last night I clicked on MintUpdate and got all the latest updates. No hassle. With XP Pro, all I get is Windows updates automatically and for my A/V. And lots of exploit warnings from ZDNet.

        Paul
        It's an Operating System, not a religion.
        pfyearwood
    • What! you mean do it the Linux way?!?!?!?!

      nt
      PCLinuxOS(user)
      • hopefully better...

        but sure. That's one area of the Linux desktop I have no problem saying is better.

        Granted the way most Linux distro's implement it I don't really care for, but the idea is pretty solid.
        JoeMama_z
      • Linux Updates (Re: Linux Mint)

        The Update Manager will check for and provide
        updates to the OS and all the installed programs
        (Open Source) by typing in the password and
        clicking the install button. Updates are
        available almost immediately and generally 4-5
        program (non-critical) updates surface every
        couple of days.

        Non-open source programs are dependent on
        updates from the respective company and may take
        longer. The Open Source "Community" produces
        updates very quickly compared to MS and other
        proprietary companies like Adobe.

        Dual boot instructions:

        http://talkback.zdnet.com/5208-12554-0.html?
        forumID=1&threadID=65771&messageID=1234408
        Joe.Smetona
    • To whit Microsoft replies...

      ...we already deployed an update to Shockwave, it's called Silverlight. Bahaha! Wait, maybe if Adobe sues Microsoft on the grounds that including Silverlight in Windows 7 is anti-competitive and detrimental to Shockwave's market share, they might capitulate. It seems to be the trend you know...
      ReadWryt (error)
      • It's detrimental

        To the internet as a whole... just not quite as
        much so as ActiveX.
        AzuMao
    • I agree with you;

      Microsoft should copy *nix again. If they used the *nix update system that has existed for almost a decade, problems like this wouldn't occur. There wouldn't be all these out of date programs getting hacked.
      AzuMao
  • So much for "quarterly updates"

    This one is going to need an out-of-cycle patch.
    honeymonster
    • Quarterly patches

      The quarterly patch cycle only applies to Adobe Reader and Acrobat. Adobe said up front it won't apply to any other software products (Flash, Shockwave, etc.)

      _r
      Ryan Naraine
      • My bad then

        thanks for correcting. Anyway, I'm just glad they patch this one. Seems nasty.
        honeymonster
  • I had to look at the side of a milk cartoon to remember what Shockwave was

    Maybe Adobe is suffering from the same thing.
    maskman01
    • Help me out here.

      Are you saying Shockwave has become so integrated that you don't even realize how often it is used or have you made a different flash player the default? I'm asking only because the average user does not realize how many .ocx files they see a day. Or are you saying you have disabled Flash files all together?

      [b]EDIT:[/b] I was in grave error with the Shockwave/Flash mix-up in the above statement, I would change it but maybe someone else may read it and the reply and be confused.
      [b]Shockwave files ARE NOT FLASH FILES![/b]
      Timewellwasted
      • No Shockwave here

        I just went to the Adobe site to check. I have Flash, I do not have Shockwave.

        Funny thing is I don't get any "you need Shockwave" notices on the web.
        Alzie