The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) is warning about a dangerous security hole in Adobe’s Shockwave Player that could be used to silently install malicious code. The truly shocking aspect of this bug? U.S. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013.
Shockwave is a browser plug-in that some sites require. At issue is a feature of Adobe Shockwave that allows the installation of “Xtras,” downloadable components meant to interact with the media player. According to an advisory from US-CERT the problem is that Shockwave installs Xtras that are signed by Adobe or Macromedia without prompting, which can allow an attacker to target vulnerabilities in older Xtras.
From the advisory:
When a Shockwave movie attempts to use an Xtra, it will download and install it as necessary. If the Xtra is signed by Adobe or Macromedia, it will be installed automatically without any user interaction. Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself, this can allow an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played.
US-CERT warned that by convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.
Reached via email, an Adobe spokeswoman confirmed that US-CERT had alerted the company about the flaw in October 2010, but said Adobe is not aware of any active exploits or attacks in the wild using this vulnerability.
“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” Adobe’s Wiebke Lips wrote.
Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
Speaking of Java, Oracle shipped an update to its Java software, which brings the program to Java 7 Update 10 or Java 6 Update 38. There are bug fixes with these releases, but no official security updates. However, the Java 7 update does include some new functionality designed to make it easier to disable Java in the browser. Oracle is expected to stop shipping updates for Java 6 in February 2013.
Thomas Kristensen, chief security officer of security firm Secunia said he believes “these features do not make Java more secure in itself, however, it will likely make it easier for users to make their PCs more secure as it becomes easier to manage certain restrictions.” Readers who want more information about how to disable Java in the browser, and adopt my recommendation for a two-browser approach to using Java, can consult this blog post. Bottom line: If you don’t need Java, get rid of it.
Don’t forget the other two Shockwave vulnerabilities published at the same time:
http://www.kb.cert.org/vuls/id/323161
http://www.kb.cert.org/vuls/id/546769
Using latest Firefox release. Have both Java Platform SE 7 U9 (10.9.2.5) and Java Deployment Toolkit 7.0.70.10 (10.7.2.10) disabled. Is that why my control panel is howing no Java icon? I was surprised when I looked just now, because I do not recall uninstalling Java recently (yeah, I know, Brian: I should).
However, I did recently have to do a “reset” on my Firefox, which necessitated starting over and reinstalling all desired add-ons. Is that when I lost Java? Or, because my Firefox addons sidebar shows two Java plugins disabled, is Java still lurking somewhere in my PC (XP/SP3)?
Really, the only time I am aware of needing Java is to do a Secunia online security scan. And I do those on IE8, which just now loaded the Java applet needed for a scan.
I’m confused.
Regarding the extraordinary time required to fix this bug, I’m reminded of the rule that one should never assume malice before incompetence.
At one point do you start assuming malice?
Question: “At one point do you start assuming malice?”
Answer: When you look at the cost estimate for a fix. The problem is a flawed system design: “Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself,”. System rewrites are more expensive than a one line change. So while incompetence is involved at the system design level, the word “greed” should be added as a possibility. IMHO.
P.S. and off topic: I would like to be a fly on the wall at the next management meeting.
“”So while incompetence is involved at the system design level, the word “greed” should be added as a possibility.”
Good answer, makes sense. 🙂
Greed becomes malice when your profit knowingly comes at the expense of someone else’s forseeable injury.
Well, if this wasn’t an exploit that was being pursued by miscreants in the wild before now, it likely will be soon. Thanks once again for the heads-up, Brian!
Adobe — mind of bricks…
Oracle — blinded by the light…
Microsoft — fast and loose with the hard stuff…
Adobe needs to be absorbed by a company with a clue about security. I am not sure which would be the best fit, but when MS was talking about this a few years ago my hopes were up. Sure MS has it’s challenges but at least it makes an effort. Adobe is the epitome of fail.
“Readers who want more information about how to disable Java in the browser, and adopt my recommendation for a two-browser approach to using Java, can consult this blog post.”
Um … sorry, but which blog post?
Is there supposed to be a link there somewhere?
Whoops. Added the link. Thanks.
It’s here, btw:
http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
I have disabled both Java plugins in Firefox. There is no Java icon in my control panel (so no tweaking possible that way). Yet Java apparently works in my IE8. So I guess Java is in my system somewhere, but I’m stumped as to exactly where. XP/SP3. More detail in my post above.
Check Add/Remove Software?
Yup, there it is, by golly. Thanks. Still puzzling its absence from the control panel.
If I remember correctly, even if you remove Java via Add/Remove, the plugin remains on your system. You can find the Java plugin file here:
32bit system
C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
64bit system
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
Correction…Apparently Oracle has made some recent changes (at least for Windows 7). If you uninstall Java via Add/Remove, a Java plugin does still reside on your system (as you’ll see if you check the plugins menu within either Firefox or Opera). Depending on your system – 32 or 64 bit, the remaining plugin resides in one or more of the below locations. Once deleted, the Java plugin will no longer show up in your browser’s plugin menu (after you close and reopen the browser).
I only have Windows 7 systems, so these instructions may only be applicable to Windows 7.
32bit systems
C:\Windows\System32\npDeployJava1.dll
64bit systems
C:\Windows\System32\npDeployJava1.dll
C:\Windows\SysWOW64\npDeployJava1.dll
re Removing Java.
I have an ereader and to use it I have to use Adobe Digital in order to use the desktop and download books I have purchased. I presume that this Adobe product is reasonably good, though downloading large files such as the complete works of an author does not always work for all the files. Adobe updates so often that I wonder if it is that things are getting out of sync.
I just translated the how-to deinstall Java from a webbrowser in Dutch and posted it on my blog.
Hi Brian,
Thanks very much for your always-valuable advice.
Firefox is the only browser I use. I’ve disabled everything with the label “Java” in it.
Although I have Internet Explorer 8 on my 64-bit Windows 7 computer, I never use the browser.
Should I still disable Java in it? As you said, it can be complicated.
Thanks very, Brian, for all you do for us non-technical folks.
John
You never ever should have any outdated software on anything you use (PC, TV, router/modems, car electrics, alarm system…), especially if you don’t need it. A friend, manual, helpfile (“F1”), FAQ, support, shop… can help with deinstallation.
Easy to go without shockwave in day-to-day internet use, still not easy to go without Java. Have to look into the new options they enabled and try a 2-browser setup.
Yet another dissappointment caused by Adobe management.
Back in 2008 when the pattern of Adobe management ignoring issues was first noticed, we all should have learned. How many years will it take for Adobe to finally understand that they need to take security seriously regardless of what their less-than-knowledgable clients do.
I don’t have an answer.
Sadly, the only answer seems to be what Apple is doing. Don’t support problem “platforms” on your OS. Being vocal about these issues hasn’t worked either, though I do not have the same plaform that Brian does.
For years, my only recommendation, when asked, has been to not use any software from Adobe unless you earn a living from it AND if you earn a living, it is passed time to find a replacement.
* PDF – alternatives exist
* Flash – run, don’t walk, to HTML5 (even with all the issues)
* Air – huh? (I group this in with Shockwave); not needed
* Photoshop – this can be painful, but at least billions of client devices are not impacted.
* Premier – switching video editing tools can be painful, but at least billions of client devices are not impacted.
If the corporate users take a stand, Adobe will listen. Non-paying users – like most people using PDF and Flash software do not have any voice. Many of their best customers are smaller video and photography companies. Switching software is nearly impossible for them. Only if they organize together and demand better security will Adobe management listen.
I’d like to point out that it is a management issue, not a developer issue. Developers WANT to make secure and bug free software that end-users love. Adobe management knows that the software design for Flash is inheriently flawed. Fixing it will break backwards compatibility. Management may be waiting for the user revolt to get them out of patching flash? I don’t know.
Adobe quarterly profits up 28%.
They are good at marketing and selling overpriced products. Ah, yes, also good at providing holes for intrusions by crooks.
Brian – FYI, the Flash Player plug-in in Opera is also referred to as Shockwave Flash.
How about using Gnash??
Another thing that keeps Java floating around are two majorly popular Java games, Runescape and Minecraft. Huge amount of players each. Minecraft just recently started alerting users if they’re running Java 5 to update, but only due to newer game features requiring newer LWJGL. Not that it should be these games job to alert people of security updates, but still, just like Adobe’s crap it’s being pumped out to people who have no idea what version they’re running or why it matters.
Like everyone else, I still see computers from people with multiple versions of prehistoric Java and other plugins installed. That’s one thing I do like about Linux, just run a quick “yum update” or the like and everything, plugins included are updated.
Another area with games and plugins, a lot of highend games such as Crysis 2 use Autodesk Scaleform which –
“enables developers to leverage the power of the Adobe® Flash® tool set to create powerful and immersive user interface environments for video games and beyond. Used in over 1000 titles across all major platforms ranging from AAA titles to casual games, Scaleform provides a streamlined solution to create hardware-accelerated 3D game menus, HUDs, animated textures, in-game videos and mini-games.”
Meaning I’m fairly certain these games won’t work without Flash installed.
Adobe AIR, Sims 3 uses that. Another huge fanbase.
This crap just keeps leaking into areas where it isn’t needed or wanted, but they will make sure it’s required to run it though!
I guess I will just give up on watching you tube I am thinking about Netflix streaming video or movies but I am not sure?
That’s an easy fix, just go: https://www.youtube.com/html5
Thanks for the link Vee!