Category Archives: Shockwave

Security & privacy roundup for September 2015

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.

Patch Tuesday for September 2015

There’s another big crop of updates from Microsoft this month, including some fixes for Windows 10. Twelve updates were made available earlier today, and of those, five are flagged as Critical. Fifty-six separate vulnerabilities are addressed, affecting all supported versions of Windows, Microsoft Office, and SharePoint.

Adobe announced a new version of Shockwave Player today as well. Version 12.2.0.162 addresses two security vulnerabilities.

Shockwave 12.1.9.160 released

There’s a new version of Adobe’s Shockwave Player. It’s not clear when the new version appeared, since there was no official announcement. There’s nothing at all on the release notes page, other than the fact that the most recent version of Shockwave is 12.1.9.160.

You can download the new version from the main Shockwave page, which also shows the most recent version as 12.1.9.160. You can check what version of Shockwave is installed (if any) on your computer at the Shockwave Help page.

Patch Tuesday for July 2015

This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.

From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).

So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!

Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.

Shockwave 12.1.8.158

The latest version of Adobe Shockwave is 12.1.8.158, which was actually released on April 22. The release notes don’t even mention it.

You can check the version of Shockwave on your computer by going to the Windows Programs and Features control panel, where it appears as Adobe Shockwave Player. Alternatively, you can check your browser’s add-ons: in Firefox, Shockwave appears in the Plugin list as Shockwave for Director. You can also check the installed version and install the latest version on the Shockwave Player Help page.

Shockwave 12.1.3.153

Apparently a new version of Adobe Shockwave was released on July 1, 2014. The new version is 12.1.3.153.

The main welcome/download page for Shockwave shows the latest version and provides a test that shows the version you’re currently running. If you’re not running the latest version, you can download and install it from that page. The Shockwave Player Help page does much the same thing.

Adobe’s web resources for Shockwave are appallingly bad. The list of security updates is over a year out of date. The most recent update listed is for version 12.1.0.150. The official Shockwave version history is even worse, as it hasn’t been updated since 2007! There doesn’t seem to be any kind of an update alert mechanism such as an RSS feed, although with the information so out of date, that wouldn’t really help.

The best resource for keeping track of Shockwave versions that I’ve found so far is FileHippo’s Shockwave version history.

Shockwave 12.1.2.152

The latest version of Adobe Shockwave Player is 12.1.2.152.

Unfortunately, the release notes for Shockwave on the Adobe site haven’t been updated since 2007, so it’s difficult to know for sure what’s different about this version. However, given Adobe’s reputation, it’s safe to assume that running an older version of Shockwave will make your computer less secure.

Then again, since Shockwave apparently includes an old, unsecure version of Flash, you might want to consider removing Shockwave from your computer completely, unless you absolutely require it. Another alternative is to configure your browser to prompt for activation whenever Shockwave media is encountered. See the instructions for doing this in Firefox elsewhere on this site.

Stop Firefox from showing embedded media automatically

My browser of choice these days is Firefox, despite its recent problems with bloat, performance and the user interface.

I recently made a change to the way Firefox handles embedded content like Java, Flash, Shockwave and Silverlight. By default, Firefox displays embedded media automatically; when you visit a web page that contains embedded media, it plays immediately after loading.

To change this behaviour, do the following:

  1. Go to the Firefox Add-ons page. How you do this depends on the version of Firefox, but one method that always works is to enter ‘about:addons’ in the address bar.
  2. In the menu on the left, click ‘Plugins’.
  3. To the right of each listed plugin, there’s a button. Clicking that button drops down a list with these options: ‘Ask to Activate’, ‘Always Activate’ and ‘Never Activate’.
  4. Change the activation setting for each plugin. ‘Never Activate’ disables a plugin completely. ‘Always Activate’ means that the associated media will run without any user intervention (the default behaviour). ‘Ask to Activate’ will prompt the user before playing the associated media. I set the following plugins to ‘Ask to Activate’: all Java plugins, all Flash plugins, all Shockwave plugins, and all Silverlight plugins.

Once you’ve made these changes, visiting a web page that includes embedded media shows grey blocks where the media would normally appear. A link appears in the middle of each block: ‘Activate Adobe Flash’, ‘Activate Java’, etc. Clicking the ‘Activate’ link pops up a small dialog that allows you to activate the media this time only, or permanently for that particular web site.

This has several benefits:

  • Malicious code in Java, Flash and other media files no longer runs automatically when I visit sites that use them. This makes web surfing much safer.
  • Pages that contain embedded media load faster. If I decide that I want to actually watch some embedded media on a site, I only have to click the ‘Activate’ link.
  • I can now see exactly what kind of media is embedded on a web page, which is especially useful for determining the relative popularity of different kinds of media.

Adobe Shockwave is also a target

Another increasingly popular target for malicious hackers is Adobe Shockwave. But what is Shockwave, and how does it related to Adobe Flash?

Like Flash, Shockwave is a media platform, and Shockwave media is most commonly found on the web. The two platforms do many of the same things, but the software for creating Shockwave media is both more powerful and more expensive. Flash media is much more common.

In any case, since Shockwave is a target, and since the Shockwave player is commonly installed on the computers of regular users (usually in the form of a browser plugin), I’m adding it to the Software Versions page on this web site.

Update 2014May22: Now comes word that Shockwave contains a version of the Flash player that is over a year out of date. None of the security updates and features added to Flash in the past fifteen months are present in Shockwave’s bundled Flash. Because of this, we recommend disabling Shockwave in your web browser immediately.