2020. 4. 10. 12:42ㆍ카테고리 없음
This author has long advised computer users who have Adobe‘s installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it. My re-education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon University’s CERT.
In a recent post on the release of the latest bundle of security updates for Adobe’s Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes. Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. By my count, Adobe for Flash since then, including fixes for several dangerous zero-day vulnerabilities.
“Flash updates can come frequently, but Shockwave not so much,” Dormann said. “So architecturally, it’s just flawed to provide its own Flash.” Dormann said he initially alerted the public to this gaping security hole in 2012 via, but that he first told Adobe about this lackluster update process back in 2010. As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as. “So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult to exploit is how many of the a vendor opts in to.
In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.” Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player. “We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said. For those who need Shockwave Player installed for some reason, Microsoft’s (EMET 4.1 or higher)) can help prevent the exploitation of this weakness.
Not sure whether your computer has Shockwave installed? If you visit and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.
Adobe Reader Air And Shockwave Player For Mac Pro
That’s not entirely surprising, since Chrome doesn’t support NSAPI (or ActiveX) plugins. The only reason Flash works is because Google came up with it’s own proprietary closed source API for plugins, and Google rewrites Flash for their API with every update. As a result no NSAPI plugins work with Chrome, which means you have no way of making Shockwave work with Chrome (in the case of Shockwave it’s no great loss, but a great many integrated applications require access to a plugin of one sort or another). Sorry I don’t have time to browse any farther than you guys’ exchange (to check if anyone has already posted this): I couldn’t see anything at his link–neither an animation nor an enticement to install–but did get the info at this one:, which is the home p.
Adobe Shockwave Uninstaller
For Shockwave Player Help; Step #1 in “How to Install Shockwave Player in 5 easy steps” = Check if Shockwave Player is installed on your computer. I clicked CHECK NOW and got “Sorry, Shockwave Player is either not installed or disabled on your machine. Please go to Step 2.” Needless to say, I did NOT go to Step 2. Unfortunately, this is a chicken and an egg scenario. The best way to convince corporations to stop requiring these plugins is for their customers to start refusing to install them. I’ve been trying for months to get my company’s purchasing policies changed to require C-level sign off on any software requiring Flash, Shockwave, Silverlight, or Java, as well as adding verbiage to all RFPs stating that preference will be given to solutions not requiring such technologies. I strongly feel that until vendors start losing significant business due to their reliance on insecure software, nothing is likely to change.
@Brian – for FF, Tools/Add-Ons brings up Add-ons Manager, and (on my version anyway – 29.0.1) both Shockwave and Shockwave Director are indicated. And each can be “activated/de-activated” using the dropdown.
For those still using (shudder) IE – Tools/Manage Addons. Shockwave may be listed there, as well as a Disable button on lower right @MartinPrince – flash and shockwave are 2 different products. @grayslady – as Brian has pointed out multiple times before, if you don’t specifically have reason to HAVE it, remove/uninstall it. As for the DCR file – I’ve found four uses for it using my favorite search engine.
Thanks again Brian. Overall the comments above are accurate; if you don’t need it get rid of it.
The.dcr (Director Compressed Resource) is what is published from Adobe Director for web playback, alternatively a.exe file might have been produced for PC playback of the same file. As a former Macromedia and Adobe employee who used all these authoring programs it is no surprise that Adobe is “late to the game” in updating Shockwave to the current Flash library as it will require a bit of testing that inevitably will not catch every possible “glitch” of using the 2 technologies together but the security issues should be easier to address. I still use the Shockwave plug-in on a few sites for an immersive experience that HTML 5 and current standards have not yet caught up with but will shortly. Also.dcr = Adobe Director or Shockwave on the web,.swf = Adobe Flash or Flash on the web (but may other Adobe and non-Adobe products produce.swf files),.pdf = Adobe Acrobat (but may other Adobe and non-Adobe products produce.pdf files) and a.aam file = Macromedia/Adobe Authorware which is an all but dead product. You would probably be surprised by how much legacy code from other products/plug-ins are part of another player or plug-in but that is mostly due to various product and feature teams working on various aspects/versions of Adobe software; not a grand conspiracy just the bizarre world of corporate software development. I recently downloaded Ubuntu 14.04 onto a laptop that was XP (and I refused to purchase another Windows product to replace it).
As an Ubuntu newbie, I am learning a lot and having fun, but obviously not up to speed on it. It seems to me that at one time in the past several weeks I did see the “shockwave plugin died” on some website. I have Google Chrome running as my browser. Do I check in the same manner to see if I have shockwave, or is it an Ubuntu version of shockwave (like pipelight for silverlight)? In my experience (IME), that’s usually Shockwave Flash Plugin died, and it’s typically being used to play sounds for new mail notifications from background tabs.
Be a bit more careful when reading the information bar 2. If I’m correct, then as Brian notes, this is actually Flash and not Director 3.
Any crash in a plug-in should be considered a possible security risk, since unless you have very technical knowledge about how it crashed, you can’t know if it’s exploitable. There is one exception which is that modern browsers tend for kill plug-in instances when they aren’t responsive.
Depending on which UI you look at, these mercy killings may appear in a place which normally seems to only cover crashes, but hangs aren’t typically indicative of being exploitable for the purpose of running untrustworthy code. I don’t believe that Adobe Shockwave Player was ever released for Linux.
The Google Chrome OS plug-ins that ship with the browser are Adobe Flash Player and a PDF Reader. Two links regarding Adobe Shockwave Player and Linux: “Does the Chrome OS support Adobe Shockwave Player?” In the first link, note that Linux is not included in the drop-down list of supported operating systems. In the second link, note that Chrome OS is, like Ubuntu, GNU/Linux and both the responders state that there is no Linux-native version of the Shockwave Player plugin. The problems that led to this are: 1. Adobe is an old content producing company.
Content companies are focused on features – security wasn’t an initial part of the problem space, originally you trusted the person who created the content. Adobe is the result of the merging of a number of companies. Each company had its own teams, products, culture, roadmaps, and release cycles. In merging, they tried to leverage value from other parts of the company – namely the (Action) Script Runtime from what was Macromedia Flash was far superior to the runtime in Shockwave Director or Adobe Acrobat, so it was used to replace the runtimes in both.
While it replaced the runtime, the release / update model for Director and Reader wasn’t update to reflect the fact that the integrated component has security flaws. Note that 3 isn’t precisely bad, before Adobe would have had 3 independently buggy and potentially exploitable script runtimes, each of which needing its own team of experts who not understood the functionality / requirements of that specific runtime as well as the specialized field of security.
(As a disclaimer, I once applied to work for Adobe in this specific area, but they changed their mind as to what kind of role it would be. Within the browser world, the fact that these three plugins shared a runtime was known years ago – certainly I was aware when I spoke with Adobe at the time and I knew a couple of years before. I remember asking them about their plans to address this too.) None of these flaws are particularly unique to Adobe.
Consider how many products bundle OpenSSL, or zlib (there used to be bugs here), or even just bundle their own Java runtime. Technically (and even practically), all of these probably need to have resources and a plan to ship updates to their products whenever these components have announced security updates. But very few do. Another example is all of the Android phone vendors who don’t bother shipping security updates for their products. Those updates are often caused by components consumed by Google Android which are in turn consumed by Vendor (e.g. LG or Samsung).
Before it was Android, the same problem affected Symbian phones. (Disclaimer 2, instead of joining Adobe, I left one phone company for another.) Security updates are not something product management people learn about in school. It isn’t covered in business classes. It doesn’t fit well with how anything else works. There is no controlled schedule.
It requires monitoring N unrelated components, it requires understanding whether a given component is even used in a way where it would be impacted – consider people who updated an OpenSSL system from before the vulnerability to one which was in fact vulnerable in response to the Heartbleed announcement. The use of the word “Flash” in this thread I suppose refers to Adobe Flash?? If so, more emphasis should have been made to separate it from Adobe Shockwave which is, in all of its forms, the problem for Adobe. As Flash seemed to be persona non grata I removed it as well as Shockwave and found that I could no longer read or open videos used by respectable newspapers online using both Firefox and Chrome.
I have re-installed Flash but it has seriously affected its performance using it to open online articles in the Mail for example. As for Shockwave – Chrome’s version last year crashed my pc and cost me an enormous cost in time and money for a complete wipe and re-install. I like to think of myself as somewhat knowledgeable in the matter of Flash and Shockwave (because of my old hobby of trying to get old online games to work), so let me explain why Adobe actually bundles Flash into Shockwave from the start. You see, Shockwave long predates Flash, and, years ago, it was one of the major browser plugins. Shockwave has a modular structure, so that the actual plugin download is kept more lightweight and so that Shockwave movies that require different modules (these modules are actually called Director Xtras) can load them themselves.
However, some Xtras were very commonly required, and the chances were that some 96% of shockwave users would download them anyway, so more and more Xtras got bundled with the plugin download. So, the popular Adobe Flash plugin started out as just another one of these Xtras, which allowed to use exceptionally good and easy-to-make animation. Its popularity grew, and soon the Flash Xtra was added to the bundled Xtras that get installed with Shockwave. Time went, Macromedia got bought by Adobe, and Flash got a programming language of its own (ActionScript), and then became an independent plugin, surpassing Shockwave in popularity and making its parent plugin fall into decay, oblivion and horrible backward compatibility. However, Shockwave still uses the Flash Xtra. Because it is still one of the most broadly used Xtras. Adobe’s policies in this respect had no reason to change.
But the Xtra (which is basically a specially compressed DLL) and the actual Flash Player are now so different that porting the newest version of Flash with all the patches into its Xtra version would require lots of work and money, which just wouldn’t pay off, since Shockwave is seldom used today. I live in a very backwards African nation where Internet access is slow and relatively expensive. I use a 3G+ wireless modem for access at my home.
It works fairly well, for the most part, but I really get tired of having to load animated adverts for $15,000 dollar watches and celebrity goings on. I don’t like paying to download something I don’t want to see either. I also get tired of having to constantly update programs for security reasons. I uninstalled Shockwave and Flash and was pleasantly surprised to find that not only do I not have to worry about the security holes and downloading adverts I don’t want to see, but, also, Firefox works much better, and the parts of web pages I do want to see load faster without the Adobe addons. It’s like having a band width accelerator plugin. So far I haven’t seen any websites that need either plugin.