Comments on: Adobe Ships Critical Shockwave Update http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/ In-depth security news and investigation Thu, 09 Sep 2010 09:11:37 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: BrianKrebshttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1280 BrianKrebs Fri, 29 Jan 2010 23:12:26 +0000 http://www.krebsonsecurity.com/?p=702#comment-1280 hi rosie. i'm not preaching against Secunia PSI. I happen to think it's great for your average user because it really does help people stay on top of things. I just said I don't use Java.But at any rate, as someone else in this discussion already pointed out, you don't need Java installed to use Secunia's installed program, just when using Web scan. So even if you don't have Java installed, you can still run Secunia's installed PSI.Sorry for the confusion. Hope that clears things up. hi rosie. i’m not preaching against Secunia PSI. I happen to think it’s great for your average user because it really does help people stay on top of things. I just said I don’t use Java.

But at any rate, as someone else in this discussion already pointed out, you don’t need Java installed to use Secunia’s installed program, just when using Web scan. So even if you don’t have Java installed, you can still run Secunia’s installed PSI.

Sorry for the confusion. Hope that clears things up.

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: Rosiehttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1278 Rosie Fri, 29 Jan 2010 22:55:53 +0000 http://www.krebsonsecurity.com/?p=702#comment-1278 Brian, I thought you were the one that encouraged Secunia PSI. Sorry to evoke your name in my earlier message. :-) Limited user account regular patching (auto, if possible), up-to-date anti-virus, FoxFire, no-script, regular scans for malware, and most of all, conscientious browsing ... Isn't that what you preach for the most part? Brian, I thought you were the one that encouraged Secunia PSI. Sorry to evoke your name in my earlier message. :-) Limited user account regular patching (auto, if possible), up-to-date anti-virus, FoxFire, no-script, regular scans for malware, and most of all, conscientious browsing … Isn’t that what you preach for the most part?

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Rosiehttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1276 Rosie Fri, 29 Jan 2010 22:46:44 +0000 http://www.krebsonsecurity.com/?p=702#comment-1276 Thanks, Sarah.I do have Secunia PSI installed (long time non-geek Krebs reader) and it says I am 100% patched and does not list Shockwave as one of patched programs. It does show Adobe Flash 10.x fully patched which I need and use.I have looked at the forums before. Just never thought of them this time, as for some reason did not equate uninstalling problems with PSI. Will go over there and check around. Thanks, Sarah.

I do have Secunia PSI installed (long time non-geek Krebs reader) and it says I am 100% patched and does not list Shockwave as one of patched programs. It does show Adobe Flash 10.x fully patched which I need and use.

I have looked at the forums before. Just never thought of them this time, as for some reason did not equate uninstalling problems with PSI. Will go over there and check around.

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: Wladimir Palanthttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1198 Wladimir Palant Thu, 28 Jan 2010 13:57:04 +0000 http://www.krebsonsecurity.com/?p=702#comment-1198 Brian, I am looking at the file c:\Windows\System32\Macromed\Flash\NPSWF32.dll on my system:CompanyName : Adobe Systems, Inc. FileDescription : Shockwave Flash 10.0 r42 ProductName : Shockwave Flash FileVersion : 10,0,42,34 InternalName : Adobe Flash Player 10.0 Oops... Yes, it is Adobe itself that is confused how to call its plugin. Mozilla simply reports the name as it gets it. Now Mozilla could probably do a hack specifically for Flash: s/Shockwave Flash/Flash Player/. But I don't think Mozilla wants to get into the business of telling vendors what the proper name of their product is. Brian, I am looking at the file c:\Windows\System32\Macromed\Flash\NPSWF32.dll on my system:

CompanyName : Adobe Systems, Inc.
FileDescription : Shockwave Flash 10.0 r42
ProductName : Shockwave Flash
FileVersion : 10,0,42,34
InternalName : Adobe Flash Player 10.0

Oops… Yes, it is Adobe itself that is confused how to call its plugin. Mozilla simply reports the name as it gets it. Now Mozilla could probably do a hack specifically for Flash: s/Shockwave Flash/Flash Player/. But I don’t think Mozilla wants to get into the business of telling vendors what the proper name of their product is.

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: Enonhttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1108 Enon Tue, 26 Jan 2010 19:05:58 +0000 http://www.krebsonsecurity.com/?p=702#comment-1108 Looking over this post and the comments (and noting the frequent mention of ActiveX), I'm wondering how much of this impacts non-Windows users.Not that I never use Windows - I keep a VM available for certain tasks and I deal with hundreds of Windows machines at work (where I'm paid to spin my wheels), but outside of work I prefer to avoid the monstrosity and tend to favor the various BSDs (including OS X, a BSD/Mach hybrid).I do practice safe computing (keep the system up to date, use a restricted account for day to day work, don't enable the root account, don't download cracked software), but I don't live in fear of my machine (don't run that! don't click on these! uninstall this software!).Java: I have a number of interesting and useful Java programs, and I sometimes program in the language. Am I really at risk? I think not.(And for the people who repeat the cliche that the Mac market share is too small for OS X to be targeted: it is targeted, there are trojans and and Mac botnets. What doesn't exist are drive-by exploits, viruses and worms. The BSDs just don't expose the same attack surfaces that Windows does.) Looking over this post and the comments (and noting the frequent mention of ActiveX), I’m wondering how much of this impacts non-Windows users.

Not that I never use Windows – I keep a VM available for certain tasks and I deal with hundreds of Windows machines at work (where I’m paid to spin my wheels), but outside of work I prefer to avoid the monstrosity and tend to favor the various BSDs (including OS X, a BSD/Mach hybrid).

I do practice safe computing (keep the system up to date, use a restricted account for day to day work, don’t enable the root account, don’t download cracked software), but I don’t live in fear of my machine (don’t run that! don’t click on these! uninstall this software!).

Java: I have a number of interesting and useful Java programs, and I sometimes program in the language. Am I really at risk? I think not.

(And for the people who repeat the cliche that the Mac market share is too small for OS X to be targeted: it is targeted, there are trojans and and Mac botnets. What doesn’t exist are drive-by exploits, viruses and worms. The BSDs just don’t expose the same attack surfaces that Windows does.)

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: BrianKrebshttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1054 BrianKrebs Tue, 26 Jan 2010 03:50:52 +0000 http://www.krebsonsecurity.com/?p=702#comment-1054 Sarah -- Thanks for the clarification. Sounds like I had the PSI and online scanner backwards in my reply to Jen. It's been a while since I've used either the installable or online scanner. Sarah — Thanks for the clarification. Sounds like I had the PSI and online scanner backwards in my reply to Jen. It’s been a while since I’ve used either the installable or online scanner.

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: Sarahhttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-1052 Sarah Tue, 26 Jan 2010 03:42:12 +0000 http://www.krebsonsecurity.com/?p=702#comment-1052 Brian and Jen,Secunia's Online Software Inspector (OSI) requires installation of the Java Runtime Environment. I never use it, primarily because it reports on a very limited number of programs--about 70. My post above, responding to Rosie's dilemma, discussed only Secunia's PSI.The functionality of the Personal Software Inspector (PSI) does not depend on the installation of JRE. The PSI works just fine without Java, and it can identify vulnerable installations of hundreds of programs and browser extensions in addition to missing Microsoft patches.I do not know if the CSI, or corporate version of the Software Inspector, requires JRE or not.I apologize to you and your readers for not including this information in my previous post.The PSI does require the installation of the Active X flavor of Adobe's Flash Player. The vulnerability scanner works perfectly without Flash; however, you cannot view the pie chart and bar graph on the top level page of the user interface without Flash for IE. Also, I should have mentioned the system requirements for the PSI are Win XP SP2 or higher, Vista, or Win 7.By the way, the Jan. 24th handler's diary at SANS (Internet Storm Center) was "Outdated Client Applications." The handler requested input from readers regarding how updating of client applications is managed, both at home and in the corporate environment. Although Secunia's Software Inspectors received the most mention, other strategies of interest to both security experts and network gurus appear in the comments.Sarah Brian and Jen,

Secunia’s Online Software Inspector (OSI) requires installation of the Java Runtime Environment. I never use it, primarily because it reports on a very limited number of programs–about 70. My post above, responding to Rosie’s dilemma, discussed only Secunia’s PSI.

The functionality of the Personal Software Inspector (PSI) does not depend on the installation of JRE. The PSI works just fine without Java, and it can identify vulnerable installations of hundreds of programs and browser extensions in addition to missing Microsoft patches.

I do not know if the CSI, or corporate version of the Software Inspector, requires JRE or not.

I apologize to you and your readers for not including this information in my previous post.

The PSI does require the installation of the Active X flavor of Adobe’s Flash Player. The vulnerability scanner works perfectly without Flash; however, you cannot view the pie chart and bar graph on the top level page of the user interface without Flash for IE. Also, I should have mentioned the system requirements for the PSI are Win XP SP2 or higher, Vista, or Win 7.

By the way, the Jan. 24th handler’s diary at SANS (Internet Storm Center) was “Outdated Client Applications.” The handler requested input from readers regarding how updating of client applications is managed, both at home and in the corporate environment. Although Secunia’s Software Inspectors received the most mention, other strategies of interest to both security experts and network gurus appear in the comments.

Sarah

Like or Dislike: Thumb up 1 Thumb down 0

]]> By: BrianKrebshttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-978 BrianKrebs Tue, 26 Jan 2010 00:14:14 +0000 http://www.krebsonsecurity.com/?p=702#comment-978 Hi Dan. Thanks for the comment. So are you saying there's nothing Mozilla can do to reduce that confusion? What about in the new FF3.6 feature, Plugin Scanner, which scans for insecure plugins? Could not Mozilla reduce some confusion there? Hi Dan. Thanks for the comment. So are you saying there’s nothing Mozilla can do to reduce that confusion? What about in the new FF3.6 feature, Plugin Scanner, which scans for insecure plugins? Could not Mozilla reduce some confusion there?

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Daniel Veditzhttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-971 Daniel Veditz Mon, 25 Jan 2010 22:44:40 +0000 http://www.krebsonsecurity.com/?p=702#comment-971 Brian,Mozilla does not call it "Shockwave Flash", it just displays the name field provided by the plugin itself. Adobe could theoretically change that any release they want to, but in practice may not be able to. Any web code that references navigator.plugins["Shockwave Flash"] would break if that were changed. Brian,

Mozilla does not call it “Shockwave Flash”, it just displays the name field provided by the plugin itself. Adobe could theoretically change that any release they want to, but in practice may not be able to. Any web code that references navigator.plugins["Shockwave Flash"] would break if that were changed.

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: BrianKrebshttp://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/#comment-954 BrianKrebs Mon, 25 Jan 2010 18:01:46 +0000 http://www.krebsonsecurity.com/?p=702#comment-954 You can't use Secunia's PSI without having Java. I believe even their online version of the scanner requires you to have Java installed.I do not use Secunia for this reason. There's something ironic about having to install Java just to be able to scan for software that needs patching. Granted, Secunia will let me know if my Java is out of date, but I pay pretty close attention to this subject, and so derive far less utility out of PSI. Your mileage, however, may differ. You can’t use Secunia’s PSI without having Java. I believe even their online version of the scanner requires you to have Java installed.

I do not use Secunia for this reason. There’s something ironic about having to install Java just to be able to scan for software that needs patching. Granted, Secunia will let me know if my Java is out of date, but I pay pretty close attention to this subject, and so derive far less utility out of PSI. Your mileage, however, may differ.

Like or Dislike: Thumb up 1 Thumb down 0

]]>