Comments on: Adobe Ships Critical Shockwave Update http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/ In-depth security news and investigation Wed, 23 May 2012 01:40:28 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Tony Smit http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-12562 Tony Smit Wed, 17 Nov 2010 05:03:14 +0000 http://www.krebsonsecurity.com/?p=702#comment-12562 I am late to this conversation posting this, but on my Windows XP installation on a consumer Compaq PC there was not an entry in Add/Remove programs or a separate uninstaller for Shockwave, probably because the Help provided by Compaq required the Shockwave player. Fortunately, there is an uninstaller for Shockwave on the Adobe website, and it is a bear to find it using their "search". http://www.adobe.com/shockwave/download/alternates/ Scroll down the page to "Shockwave Player" and look for the uninstaller. For "Windows 98/2000/XP" it is this link: http://fpdownload.macromedia.com/get/shockwave/uninstall/win/sw_uninstaller.exe I am late to this conversation posting this, but on my Windows XP installation on a consumer Compaq PC there was not an entry in Add/Remove programs or a separate uninstaller for Shockwave, probably because the Help provided by Compaq required the Shockwave player.

Fortunately, there is an uninstaller for Shockwave on the Adobe website, and it is a bear to find it using their “search”.

http://www.adobe.com/shockwave/download/alternates/

Scroll down the page to “Shockwave Player” and look for the uninstaller. For “Windows 98/2000/XP” it is this link:

http://fpdownload.macromedia.com/get/shockwave/uninstall/win/sw_uninstaller.exe

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: BrianKrebs http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1280 BrianKrebs Fri, 29 Jan 2010 23:12:26 +0000 http://www.krebsonsecurity.com/?p=702#comment-1280 hi rosie. i'm not preaching against Secunia PSI. I happen to think it's great for your average user because it really does help people stay on top of things. I just said I don't use Java. But at any rate, as someone else in this discussion already pointed out, you don't need Java installed to use Secunia's installed program, just when using Web scan. So even if you don't have Java installed, you can still run Secunia's installed PSI. Sorry for the confusion. Hope that clears things up. hi rosie. i’m not preaching against Secunia PSI. I happen to think it’s great for your average user because it really does help people stay on top of things. I just said I don’t use Java.

But at any rate, as someone else in this discussion already pointed out, you don’t need Java installed to use Secunia’s installed program, just when using Web scan. So even if you don’t have Java installed, you can still run Secunia’s installed PSI.

Sorry for the confusion. Hope that clears things up.

Like or Dislike: Thumb up 2 Thumb down 0
]]> By: Rosie http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1278 Rosie Fri, 29 Jan 2010 22:55:53 +0000 http://www.krebsonsecurity.com/?p=702#comment-1278 Brian, I thought you were the one that encouraged Secunia PSI. Sorry to evoke your name in my earlier message. :-) Limited user account regular patching (auto, if possible), up-to-date anti-virus, FoxFire, no-script, regular scans for malware, and most of all, conscientious browsing ... Isn't that what you preach for the most part? Brian, I thought you were the one that encouraged Secunia PSI. Sorry to evoke your name in my earlier message. :-) Limited user account regular patching (auto, if possible), up-to-date anti-virus, FoxFire, no-script, regular scans for malware, and most of all, conscientious browsing … Isn’t that what you preach for the most part?

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Rosie http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1276 Rosie Fri, 29 Jan 2010 22:46:44 +0000 http://www.krebsonsecurity.com/?p=702#comment-1276 Thanks, Sarah. I do have Secunia PSI installed (long time non-geek Krebs reader) and it says I am 100% patched and does not list Shockwave as one of patched programs. It does show Adobe Flash 10.x fully patched which I need and use. I have looked at the forums before. Just never thought of them this time, as for some reason did not equate uninstalling problems with PSI. Will go over there and check around. Thanks, Sarah.

I do have Secunia PSI installed (long time non-geek Krebs reader) and it says I am 100% patched and does not list Shockwave as one of patched programs. It does show Adobe Flash 10.x fully patched which I need and use.

I have looked at the forums before. Just never thought of them this time, as for some reason did not equate uninstalling problems with PSI. Will go over there and check around.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: Wladimir Palant http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1198 Wladimir Palant Thu, 28 Jan 2010 13:57:04 +0000 http://www.krebsonsecurity.com/?p=702#comment-1198 Brian, I am looking at the file c:\Windows\System32\Macromed\Flash\NPSWF32.dll on my system: CompanyName : Adobe Systems, Inc. FileDescription : Shockwave Flash 10.0 r42 ProductName : Shockwave Flash FileVersion : 10,0,42,34 InternalName : Adobe Flash Player 10.0 Oops... Yes, it is Adobe itself that is confused how to call its plugin. Mozilla simply reports the name as it gets it. Now Mozilla could probably do a hack specifically for Flash: s/Shockwave Flash/Flash Player/. But I don't think Mozilla wants to get into the business of telling vendors what the proper name of their product is. Brian, I am looking at the file c:\Windows\System32\Macromed\Flash\NPSWF32.dll on my system:

CompanyName : Adobe Systems, Inc.
FileDescription : Shockwave Flash 10.0 r42
ProductName : Shockwave Flash
FileVersion : 10,0,42,34
InternalName : Adobe Flash Player 10.0

Oops… Yes, it is Adobe itself that is confused how to call its plugin. Mozilla simply reports the name as it gets it. Now Mozilla could probably do a hack specifically for Flash: s/Shockwave Flash/Flash Player/. But I don’t think Mozilla wants to get into the business of telling vendors what the proper name of their product is.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: Enon http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1108 Enon Tue, 26 Jan 2010 19:05:58 +0000 http://www.krebsonsecurity.com/?p=702#comment-1108 Looking over this post and the comments (and noting the frequent mention of ActiveX), I'm wondering how much of this impacts non-Windows users. Not that I never use Windows - I keep a VM available for certain tasks and I deal with hundreds of Windows machines at work (where I'm paid to spin my wheels), but outside of work I prefer to avoid the monstrosity and tend to favor the various BSDs (including OS X, a BSD/Mach hybrid). I do practice safe computing (keep the system up to date, use a restricted account for day to day work, don't enable the root account, don't download cracked software), but I don't live in fear of my machine (don't run that! don't click on these! uninstall this software!). Java: I have a number of interesting and useful Java programs, and I sometimes program in the language. Am I really at risk? I think not. (And for the people who repeat the cliche that the Mac market share is too small for OS X to be targeted: it is targeted, there are trojans and and Mac botnets. What doesn't exist are drive-by exploits, viruses and worms. The BSDs just don't expose the same attack surfaces that Windows does.) Looking over this post and the comments (and noting the frequent mention of ActiveX), I’m wondering how much of this impacts non-Windows users.

Not that I never use Windows – I keep a VM available for certain tasks and I deal with hundreds of Windows machines at work (where I’m paid to spin my wheels), but outside of work I prefer to avoid the monstrosity and tend to favor the various BSDs (including OS X, a BSD/Mach hybrid).

I do practice safe computing (keep the system up to date, use a restricted account for day to day work, don’t enable the root account, don’t download cracked software), but I don’t live in fear of my machine (don’t run that! don’t click on these! uninstall this software!).

Java: I have a number of interesting and useful Java programs, and I sometimes program in the language. Am I really at risk? I think not.

(And for the people who repeat the cliche that the Mac market share is too small for OS X to be targeted: it is targeted, there are trojans and and Mac botnets. What doesn’t exist are drive-by exploits, viruses and worms. The BSDs just don’t expose the same attack surfaces that Windows does.)

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: BrianKrebs http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1054 BrianKrebs Tue, 26 Jan 2010 03:50:52 +0000 http://www.krebsonsecurity.com/?p=702#comment-1054 Sarah -- Thanks for the clarification. Sounds like I had the PSI and online scanner backwards in my reply to Jen. It's been a while since I've used either the installable or online scanner. Sarah — Thanks for the clarification. Sounds like I had the PSI and online scanner backwards in my reply to Jen. It’s been a while since I’ve used either the installable or online scanner.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: Sarah http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-1052 Sarah Tue, 26 Jan 2010 03:42:12 +0000 http://www.krebsonsecurity.com/?p=702#comment-1052 Brian and Jen, Secunia's Online Software Inspector (OSI) requires installation of the Java Runtime Environment. I never use it, primarily because it reports on a very limited number of programs--about 70. My post above, responding to Rosie's dilemma, discussed only Secunia's PSI. The functionality of the Personal Software Inspector (PSI) does not depend on the installation of JRE. The PSI works just fine without Java, and it can identify vulnerable installations of hundreds of programs and browser extensions in addition to missing Microsoft patches. I do not know if the CSI, or corporate version of the Software Inspector, requires JRE or not. I apologize to you and your readers for not including this information in my previous post. The PSI does require the installation of the Active X flavor of Adobe's Flash Player. The vulnerability scanner works perfectly without Flash; however, you cannot view the pie chart and bar graph on the top level page of the user interface without Flash for IE. Also, I should have mentioned the system requirements for the PSI are Win XP SP2 or higher, Vista, or Win 7. By the way, the Jan. 24th handler's diary at SANS (Internet Storm Center) was "Outdated Client Applications." The handler requested input from readers regarding how updating of client applications is managed, both at home and in the corporate environment. Although Secunia's Software Inspectors received the most mention, other strategies of interest to both security experts and network gurus appear in the comments. Sarah Brian and Jen,

Secunia’s Online Software Inspector (OSI) requires installation of the Java Runtime Environment. I never use it, primarily because it reports on a very limited number of programs–about 70. My post above, responding to Rosie’s dilemma, discussed only Secunia’s PSI.

The functionality of the Personal Software Inspector (PSI) does not depend on the installation of JRE. The PSI works just fine without Java, and it can identify vulnerable installations of hundreds of programs and browser extensions in addition to missing Microsoft patches.

I do not know if the CSI, or corporate version of the Software Inspector, requires JRE or not.

I apologize to you and your readers for not including this information in my previous post.

The PSI does require the installation of the Active X flavor of Adobe’s Flash Player. The vulnerability scanner works perfectly without Flash; however, you cannot view the pie chart and bar graph on the top level page of the user interface without Flash for IE. Also, I should have mentioned the system requirements for the PSI are Win XP SP2 or higher, Vista, or Win 7.

By the way, the Jan. 24th handler’s diary at SANS (Internet Storm Center) was “Outdated Client Applications.” The handler requested input from readers regarding how updating of client applications is managed, both at home and in the corporate environment. Although Secunia’s Software Inspectors received the most mention, other strategies of interest to both security experts and network gurus appear in the comments.

Sarah

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: BrianKrebs http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-978 BrianKrebs Tue, 26 Jan 2010 00:14:14 +0000 http://www.krebsonsecurity.com/?p=702#comment-978 Hi Dan. Thanks for the comment. So are you saying there's nothing Mozilla can do to reduce that confusion? What about in the new FF3.6 feature, Plugin Scanner, which scans for insecure plugins? Could not Mozilla reduce some confusion there? Hi Dan. Thanks for the comment. So are you saying there’s nothing Mozilla can do to reduce that confusion? What about in the new FF3.6 feature, Plugin Scanner, which scans for insecure plugins? Could not Mozilla reduce some confusion there?

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Daniel Veditz http://krebsonsecurity.com/2010/01/adobe-ships-critical-shockwave-update/comment-page-1/#comment-971 Daniel Veditz Mon, 25 Jan 2010 22:44:40 +0000 http://www.krebsonsecurity.com/?p=702#comment-971 Brian, Mozilla does not call it "Shockwave Flash", it just displays the name field provided by the plugin itself. Adobe could theoretically change that any release they want to, but in practice may not be able to. Any web code that references navigator.plugins["Shockwave Flash"] would break if that were changed. Brian,

Mozilla does not call it “Shockwave Flash”, it just displays the name field provided by the plugin itself. Adobe could theoretically change that any release they want to, but in practice may not be able to. Any web code that references navigator.plugins["Shockwave Flash"] would break if that were changed.

Like or Dislike: Thumb up 0 Thumb down 0
]]>