May 21, 2014

This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating. But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.

shockwaveMy re-education on this topic comes courtesy of Will Dormann, a computer security expert who writes threat advisories for Carnegie Mellon University’s CERT. In a recent post on the release of the latest bundle of security updates for Adobe’s Flash player, Dormann commented that Shockwave actually provides its own version of the Flash runtime, and that the latest Shockwave version released by Adobe has none of the recent Flash fixes.

Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. By my count, Adobe has issued nearly 20 separate security updates for Flash since then, including fixes for several dangerous zero-day vulnerabilities.

“Flash updates can come frequently,  but Shockwave not so much,” Dormann said. “So architecturally,  it’s just flawed to provide its own Flash.”

Dormann said he initially alerted the public to this gaping security hole in 2012 via this advisory, but that he first told Adobe about this lackluster update process back in 2010.

As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH.

“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH.   Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”

Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player.

“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.

For those who need Shockwave Player installed for some reason, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET 4.1 or higher)) can help prevent the exploitation of this weakness.

Not sure whether your computer has Shockwave installed? If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave (or in the case of Google Chrome for some reason just automatically downloads the installer), then you don’t have Shockwave installed. To remove Shockwave, grab Adobe’s uninstall tool here. Mozilla Firefox users should note that the presence of the “Shockwave Flash” plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave Player.


57 thoughts on “Why You Should Ditch Adobe Shockwave

  1. TheOreganoRouter.onion.it

    The best solution is not to run , Java , Shockwave or Flash at it on any current browser.

  2. MartinPrince

    Unfortunately Juniper GUI interfaces require flash. Cisco GUI interfaces require Java.

    Blah blah blah CLI this CLI that….

  3. ahazuarus

    I use sandboxie for web interfaces that require this kind of garbage. cisco is a great example.

    1. ahazuarus

      As a side note, I tried the test on adobe’s site and my chrome does not know what to do with it. I’m simply prompted to download a .dcr file that windows does not know what to do with.

      1. SeymourB

        That’s not entirely surprising, since Chrome doesn’t support NSAPI (or ActiveX) plugins. The only reason Flash works is because Google came up with it’s own proprietary closed source API for plugins, and Google rewrites Flash for their API with every update. As a result no NSAPI plugins work with Chrome, which means you have no way of making Shockwave work with Chrome (in the case of Shockwave it’s no great loss, but a great many integrated applications require access to a plugin of one sort or another).

        1. timeless

          While the API is named for Netscape, which sometimes goes by NS, it’s actually NPAPI – Netscape Plugin API.

        2. Someone

          Shockwave runs just fine here in Chrome… version 12.1.1.151

  4. timmdrumm

    I wasn’t 100% positive I didn’t have Shockwave installed so I used the link to check. No animation, but a download file dialog box opened to pull down a .dcr file called ‘dir’. No instructions, no ‘click here to download’. Visited 3 times, same thing happened each time. To me, that’s bad behavior.

    1. ahazuarus

      I saw the same thing. If windows doesn’t know what to do with it, I guess that means you/we don’t have it.

      1. Joanne Gruber

        Sorry I don’t have time to browse any farther than you guys’ exchange (to check if anyone has already posted this): I couldn’t see anything at his link–neither an animation nor an enticement to install–but did get the info at this one: http://helpx.adobe.com/shockwave.html, which is the home p. for Shockwave Player Help; Step #1 in “[How to] Install Shockwave Player in 5 easy steps” = Check if Shockwave Player is installed on your computer. I clicked CHECK NOW and got “Sorry, Shockwave Player is either not installed or disabled on your machine. Please go to Step 2.” Needless to say, I did NOT go to Step 2. 🙂

    2. Vee

      .dcr
      “Interactive media file saved in the Shockwave format for distribution on the Web; similar to a Flash (.SWF) file, but created with Adobe Director rather than Adobe Flash; often used for creating Web games and other highly interactive content.”

      So if you don’t have any default application to open it (Shockwave) then you probably don’t have anything to run it.

  5. grayslady

    The only reason I have Shockwave installed is to play the Daily Jigsaw Puzzle from Article 19. I guess I can wait to play the game until Shockwave is fixed, unless there is a problem with temporary files or other types of Shockwave related files that may be resident on my computer. Does anyone know whether just having Shockwave installed on the computer creates a risk, even if you don’t use it?

    1. Old School

      Just uninstall (remove from your system) Shockwave until the problem is fixed, thus all worry is eliminated. The re-installation of the fixed Shockwave should be clean.

  6. Michael Confoy

    The problem is, how do we view the loads of content that require it?

    1. Santa Bieber

      Unfortunately, this is a chicken and an egg scenario. The best way to convince corporations to stop requiring these plugins is for their customers to start refusing to install them.

      I’ve been trying for months to get my company’s purchasing policies changed to require C-level sign off on any software requiring Flash, Shockwave, Silverlight, or Java, as well as adding verbiage to all RFPs stating that preference will be given to solutions not requiring such technologies.

      I strongly feel that until vendors start losing significant business due to their reliance on insecure software, nothing is likely to change.

  7. Vee

    At the very least they should just do what Java does and add a “Enable/Disable Shockwave content in the browser” (disable by default). If anything needs Shockwave, (apparently games and “learning tools”) just run it as a standalone thing that doesn’t rely on a web browser.

    It’s just another thing that doesn’t need to exist as a browser plugin. It isn’t 2003 anymore.

  8. JimH

    @Brian – for FF, Tools/Add-Ons brings up Add-ons Manager, and (on my version anyway – 29.0.1) both Shockwave and Shockwave Director are indicated.. and each can be “activated/de-activated” using the dropdown.. for those still using (shudder) IE – Tools/Manage Addons.. Shockwave may be listed there, as well as a Disable button on lower right

    @MartinPrince – flash and shockwave are 2 different products..

    @grayslady – as Brian has pointed out multiple times before, if you don’t specifically have reason to HAVE it, remove/uninstall it..

    as for the DCR file – I’ve found four uses for it using my favorite search engine.. http://www.fileinfo.com/extension/dcr

    Thanks again Brian.

  9. uyjulian

    Just download the shockwave file (dcr) and play the file offline.

    1. Jon Marcus

      And if the DCR includes an exploit? Then you’ve installed the exploit offline. Is that any better than installing it while online? Your machine is still compromised.

  10. IA Eng

    How else do you expect the miscreants and NSA to gain a foothold in networks ? Patch all the holes you want, but when it comes down to it, until they get fuzzing down, it will always be a rush to the gate to see if it closes in time, or someone runs away with your family jewels.

  11. Tom

    That Adobe wasn’t updating Shockwave Player with Flash fixes is just unbelievable. Is anybody awake over at 345 Park Avenue?

  12. meh

    You were shocked? I have a hard time believing that… I would be shocked if it was not that way.

  13. Thomas

    Overall the comments above are accurate; if you don’t need it get rid of it. The .dcr (Director Compressed Resource) is what is published from Adobe Director for web playback, alternatively a .exe file might have been produced for PC playback of the same file.
    As a former Macromedia and Adobe employee who used all these authoring programs it is no surprise that Adobe is “late to the game” in updating Shockwave to the current Flash library as it will require a bit of testing that inevitably will not catch every possible “glitch” of using the 2 technologies together but the security issues should be easier to address. I still use the Shockwave plug-in on a few sites for an immersive experience that HTML 5 and current standards have not yet caught up with but will shortly. Also .dcr = Adobe Director or Shockwave on the web, .swf = Adobe Flash or Flash on the web (but may other Adobe and non-Adobe products produce .swf files), .pdf = Adobe Acrobat (but may other Adobe and non-Adobe products produce .pdf files) and a .aam file = Macromedia/Adobe Authorware which is an all but dead product.
    You would probably be surprised by how much legacy code from other products/plug-ins are part of another player or plug-in but that is mostly due to various product and feature teams working on various aspects/versions of Adobe software; not a grand conspiracy just the bizarre world of corporate software development.

  14. Maureen

    I recently downloaded Ubuntu 14.04 onto a laptop that was XP (and I refused to purchase another Windows product to replace it). As an Ubuntu newbie, I am learning a lot and having fun, but obviously not up to speed on it. It seems to me that at one time in the past several weeks I did see the “shockwave plugin died” on some website.

    I have Google Chrome running as my browser. Do I check in the same manner to see if I have shockwave, or is it an Ubuntu version of shockwave (like pipelight for silverlight)?

    1. timeless

      In my experience (IME), that’s usually Shockwave Flash Plugin died, and it’s typically being used to play sounds for new mail notifications from background tabs.

      1. Be a bit more careful when reading the information bar
      2. If I’m correct, then as Brian notes, this is actually Flash and not Director

      3. Any crash in a plug-in should be considered a possible security risk, since unless you have very technical knowledge about how it crashed, you can’t know if it’s exploitable.

      4. There is one exception which is that modern browsers tend for kill plug-in instances when they aren’t responsive. Depending on which UI you look at, these mercy killings may appear in a place which normally seems to only cover crashes, but hangs aren’t typically indicative of being exploitable for the purpose of running untrustworthy code.

    2. Rabid Howler Monkey

      I don’t believe that Adobe Shockwave Player was ever released for Linux. The Google Chrome OS plug-ins that ship with the browser are Adobe Flash Player and a PDF Reader.

      Two links regarding Adobe Shockwave Player and Linux:

      http://get.adobe.com/shockwave/otherversions/

      “Does the Chrome OS support Adobe Shockwave Player?”
      https://forums.adobe.com/thread/974049

      In the first link, note that Linux is not included in the drop-down list of supported operating systems. In the second link, note that Chrome OS is, like Ubuntu, GNU/Linux and both the responders state that there is no Linux-native version of the Shockwave Player plugin.

      1. Rabid Howler Monkey

        I meant to state ” The Google Chrome browser plug-ins that ship with the browser …”.

  15. mbi

    The best solution is don’t use Adobe if at all possible. Its just buggy and now we are finding out full of holes.

  16. Amy

    I want to thank you Brian. If I had not stumbled upon your blogs and email subscription I would not have known so many things that needed to be done to protect my computer. Thanks for your insight, knowledge and time!

  17. Yuhong Bao

    Adobe Reader used to have the same problem, and eventually they finally gave up and changed it to use the NPAPI version of the Flash Player.

  18. Hello

    I’m very surprised by this article. I just uninstalled Adobe Shockwave. How could Adobe let this happen? Do you think there is something more sinister going on?

    1. timeless

      The problems that led to this are:
      1. Adobe is an old content producing company. Content companies are focused on features – security wasn’t an initial part of the problem space, originally you trusted the person who created the content.
      2. Adobe is the result of the merging of a number of companies. Each company had its own teams, products, culture, roadmaps, and release cycles.
      3. In merging, they tried to leverage value from other parts of the company – namely the (Action) Script Runtime from what was Macromedia Flash was far superior to the runtime in Shockwave Director or Adobe Acrobat, so it was used to replace the runtimes in both.
      4. While it replaced the runtime, the release / update model for Director and Reader wasn’t update to reflect the fact that the integrated component has security flaws.
      5. Note that 3 isn’t precisely bad, before Adobe would have had 3 independently buggy and potentially exploitable script runtimes, each of which needing its own team of experts who not understood the functionality / requirements of that specific runtime as well as the specialized field of security.

      (As a disclaimer, I once applied to work for Adobe in this specific area, but they changed their mind as to what kind of role it would be. Within the browser world, the fact that these three plugins shared a runtime was known years ago – certainly I was aware when I spoke with Adobe at the time and I knew a couple of years before. I remember asking them about their plans to address this too.)

      None of these flaws are particularly unique to Adobe.

      Consider how many products bundle OpenSSL, or zlib (there used to be bugs here), or even just bundle their own Java runtime. Technically (and even practically), all of these probably need to have resources and a plan to ship updates to their products whenever these components have announced security updates. But very few do.

      Another example is all of the Android phone vendors who don’t bother shipping security updates for their products. Those updates are often caused by components consumed by Google Android which are in turn consumed by Vendor (e.g. LG or Samsung). Before it was Android, the same problem affected Symbian phones.

      (Disclaimer 2, instead of joining Adobe, I left one phone company for another.)

      Security updates are not something product management people learn about in school. It isn’t covered in business classes. It doesn’t fit well with how anything else works. There is no controlled schedule. It requires monitoring N unrelated components, it requires understanding whether a given component is even used in a way where it would be impacted – consider people who updated an OpenSSL system from before the vulnerability to one which was in fact vulnerable in response to the Heartbleed announcement.

      1. Hello

        Interesting. Thanks for adding that info, timeless.

      2. meh

        And chances are pretty good that by updating that a month down the road new things will be found… I am honestly pretty disappointed by the built in and 3rd party options to auto-update. ‘Good’ security practices mean end users shouldn’t be admins, but since they are not they cannot ever do most of these updates either, and with shorter exploit windows it really needs to be handled at the OS level.

  19. A Hornblatt

    The link to Adobe’s site in the story leads to info on how to uninstall version 11. I found an uninstaller in Windows/System32/Adobe/Shockwave folder which completely removed all traces of the version 12 I had.

  20. Elaine

    Brian, I clicked on the link you provided to uninstall Flashplayer but it didn’t give any information on how to do it. HELP!!!!

      1. Elaine

        Brian, I am so sorry. I didn’t read the instructions properly. I got it to work. So sorry to you. I appreciate you so much and am sorry to cause you unnecessary work.

      2. BaliRob

        The use of the word “Flash” in this thread I suppose refers to Adobe Flash??

        If so, more emphasis should have been made to separate it from Adobe Shockwave which is, in all of its forms, the problem for Adobe.

        As Flash seemed to be persona non grata I removed it as well as Shockwave and found that I could no longer read or open videos used by respectable newspapers online using both Firefox and Chrome. I have re-installed Flash but it has seriously affected its performance using it to open online articles in the Mail for example.

        As for Shockwave – Chrome’s version last year crashed my pc and cost me an enormous cost in time and money for a complete wipe and re-install.

  21. Mark

    This is the same as adobe reader that installs an old version of flash in program files x86\adobe\reader\reader 11.0\reader\NPSWF32.dll
    I upgraded to the latest reader 11.0.07 and it came with Flash version 11.5.502.110 and air version 11.0.7.79

  22. JimV

    Proving once more that where timely security fixes are concerned, Adobe = “mind of brick”….

  23. JohnnyDrama

    Well, this should be interesting. We’ve been working with a vendor that has a web app that uses .swf for training. For me the timeliness of this article couldn’t have been better. I can’t wait to ask them how they plan on addressing the vulnerability created by their app using shockwave.

  24. Paul

    The Mac version of Shockwave has no “Slim” installer, only a “Full” version. Is the Mac version also affected by the aged Flash runtime?

    1. brian krebs

      The story clearly says it affects Mac versions as well. Third paragraph:

      “Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013.”

  25. Glenn B

    “Worse yet, Dormann said, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013.”

    Worse yet the article fails to mention that it is not the flash player, it’s a subset of flash to integrate with Shockwave. In otherwords it’s not the same thing and you can’t exploit it in the same way as the flash player.

    Junk article.

    1. BrianKrebs Post author

      Hey Glenn,

      Care to explain why you think this is a non-issue and that it can’t be exploited? CERT seems pretty sure that it can be.

      Also, the article clearly explains right up front that Shockwave bundles its own Flash runtime.

      1. meh

        I think he meant it is just a smaller target, but for those machines running shockwave it would still be a big deal.

      2. Glenn B

        Flash player and Director’s Flash Xtra are described as the same thing in the article. They are not. Director’s flash Xtra is rarely the current version and looking at the one on my mac it has a March 2013 date. It may need updating to patch exploits but I am pointing out that they are different beasts and need different care.

        1. BrianKrebs Post author

          Glenn, are you sure about that? I don’t mention Director’s Flash Xtra at all in the story.

          1. Glenn B

            The ‘player’ for shockwave is the Flash Xtra from Director.

            BTW wishing I hadn’t put ‘junk article’ at the end of my first comment as it sounds terrible! I’ve been using Director and shockwave for years and it is very long in the tooth but it seems of late everybody is trying to nail the coffin lid shut. Another scare article on security and people stop installing it and it dies and so does my client list for shockwave.

            1. BrianKrebs Post author

              Well that explains your hostility. Thanks for coming clean about your motivations. I find when I write about Java vulnerabilities, I get the same angry pushback from people who have built their careers or livelihood around Java.

              Don’t shoot the messenger, Glenn. I hardly think this is a “scare” article. It alerts people of a very real threat and a serious shortcoming by Adobe.

  26. Christian

    Good write up Brian, if it helps this got us over the line of removing Shockwave player from all of our PC’s, its good to have one less app to update at the very least!

  27. Glenn B

    I’m not saying it’s not exploitable just that it’s not the same as the current Flash player and therefore doesn’t have the same exploits and thus the article is making assumptions that shockwave suffers from the same security risks. It’s one thing them showing there are security risks with SW and another thing just saying ‘this uses flash so it needs patching’

    1. BrianKrebs Post author

      “The article is making assumptions…”? No, it’s not. It’s quoting one of the foremost security experts, who says the vulnerabilities are there and are even easier to exploit than against stand-alone Flash.

      You really should tone done your accusations and read more carefully, Glenn.

  28. Mints97

    I like to think of myself as somewhat knowledgeable in the matter of Flash and Shockwave (because of my old hobby of trying to get old online games to work), so let me explain why Adobe actually bundles Flash into Shockwave from the start.

    You see, Shockwave long predates Flash, and, years ago, it was one of the major browser plugins. Shockwave has a modular structure, so that the actual plugin download is kept more lightweight and so that Shockwave movies that require different modules (these modules are actually called Director Xtras) can load them themselves. However, some Xtras were very commonly required, and the chances were that some 96% of shockwave users would download them anyway, so more and more Xtras got bundled with the plugin download.

    So, the popular Adobe Flash plugin started out as just another one of these Xtras, which allowed to use exceptionally good and easy-to-make animation. Its popularity grew, and soon the Flash Xtra was added to the bundled Xtras that get installed with Shockwave. Time went, Macromedia got bought by Adobe, and Flash got a programming language of its own (ActionScript), and then became an independent plugin, surpassing Shockwave in popularity and making its parent plugin fall into decay, oblivion and horrible backward compatibility.

    However, Shockwave still uses the Flash Xtra. Because it is still one of the most broadly used Xtras. Adobe’s policies in this respect had no reason to change. But the Xtra (which is basically a specially compressed DLL) and the actual Flash Player are now so different that porting the newest version of Flash with all the patches into its Xtra version would require lots of work and money, which just wouldn’t pay off, since Shockwave is seldom used today.

  29. Vazaha48

    I live in a very backwards African nation where Internet access is slow and relatively expensive. I use a 3G+ wireless modem for access at my home. It works fairly well, for the most part, but I really get tired of having to load animated adverts for $15,000 dollar watches and celebrity goings on. I don’t like paying to download something I don’t want to see either.

    I also get tired of having to constantly update programs for security reasons.

    I uninstalled Shockwave and Flash and was pleasantly surprised to find that not only do I not have to worry about the security holes and downloading adverts I don’t want to see, but, also, Firefox works much better, and the parts of web pages I do want to see load faster without the Adobe addons. It’s like having a band width accelerator plugin.

    So far I haven’t seen any websites that need either plugin.

Comments are closed.