With the latest javascript vulnerabilities in Adobe reader and bloat it has aquired over the years, Ive been thinking of moving the network Im in charge of to a. Why You Should Ditch Adobe Shockwave Krebs on Security. This author has long advised computer users who have Adobes Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because its yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem Turns out, it bundles a component of Adobe Flash that is more than 1. My re education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon Universitys CERT. In a recent post on the release of the latest bundle of security updates for Adobes Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes. Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2. By my count, Adobe has issued nearly 2. Flash since then, including fixes for several dangerous zero day vulnerabilities. Flash updates can come frequently, but Shockwave not so much, Dormann said. So architecturally, its just flawed to provide its own Flash. Dormann said he initially alerted the public to this gaping security hole in 2. Adobe about this lackluster update process back in 2. As if that werent bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. Thats because Shockwave has several modules that dont opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as Safe. As a side note, I tried the test on adobes site and my chrome does not know what to do with it. Im simply prompted to download a. dcr file that windows does not. Contrary to popular opinion, some tweetstorms are good, but reading them on Twitter can be a pain in the ass. Thread Reader reformats a tweetstorm into a readable. SEH. So not only are the vulnerabilities there, but theyre easier to exploit as well, Dormann said. One of the things that helps make a vulnerability more difficult to exploit is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as Safe. SEH. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example. Adobe spokeswoman Heather Edell confirmed that CERTs information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player. We are reviewing our security update process in order to mitigate risks in Shockwave Player, Edell said. For those who need Shockwave Player installed for some reason, Microsofts Enhanced Mitigation Experience Toolkit EMET 4. Not sure whether your computer has Shockwave installed If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave or in the case of Google Chrome for some reason just automatically downloads the installer, then you dont have Shockwave installed. To remove Shockwave, grab Adobes uninstall tool here. Mozilla Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add ons section denotes an installation of Adobe Flash Player plugin not Adobe Shockwave Player. Tags Adobe Shockwave, CERT, EMET, Enhanced Mitigation Experience Toolkit, Heather Edell, Macromedia Flash, Will Dormann. This entry was posted on Wednesday, May 2. Other. You can follow any comments to this entry through the RSS 2. Both comments and pings are currently closed.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |