×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Shockwave Vulnerabilities Affect More Than 450 Million Systems

timothy posted about 5 years ago | from the drug-resistant-infections dept.

Security 130

Trinity writes "Researchers from VUPEN have discovered critical vulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

Sorry! There are no comments related to the filter you selected.

Flashblock (3, Insightful)

sakdoctor (1087155) | about 5 years ago | (#29998146)

Not just a good idea. It's the law.

Re:Flashblock (4, Informative)

al0ha (1262684) | about 5 years ago | (#29998206)

It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.

The only reason to use Shockwave in the past was that it was scriptable. Flash has been scriptable since version 5.

Re:Flashblock (1)

Tumbleweed (3706) | about 5 years ago | (#29998568)

It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.

In my Firefox, it's called "Shockwave Flash" - one plugin that does both.

Re:Flashblock (4, Informative)

colfer (619105) | about 5 years ago | (#29998842)

No, it's two different plugins.

1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5

You can have 1 without 2, latest versions.
Looks some crazed half-forgotten branding initiative.

Interestingly, the player test page http://www.adobe.com/shockwave/welcome/ [adobe.com] tries to install an old version if you have only Flash:

Macromedia Shockwave Player 10.1

That's the old branding and an old version. But anyway it fails to install. Maybe Adobe is confused by my nightly version of Firefox.

Re:Flashblock (1)

clone53421 (1310749) | about 5 years ago | (#29999022)

No, it's two different plugins.

1. Shockwave Flash 10.0 r32
2. Shockwave for Director 11.5

Yes. This. Also, that's confusing as hell.

Got rid of my Shockwave. (1)

antdude (79039) | about 5 years ago | (#29999940)

I rarely see Web sites use Shockwave. And if I do, it usually games. 99% of the stuff I see are in Flash. If I need it, I will just reinstall, look/use, and then uninstall it.

Re:Flashblock (3, Informative)

Khyber (864651) | about 5 years ago | (#29998798)

Flash didn't have Shockwave's 3D acceleration until version 10 of Flash. That is why many devs still used Shockwave.

Surprised? Pay more attention to the featureset next time, yea?

Re:Flashblock (4, Interesting)

mcgrew (92797) | about 5 years ago | (#29998806)

I'm surprised that anybody's surprised that a new Adobe exploit has surfaced, They seem to have surpassed Microsoft in their zeal to get your PC infected; Microsoft seems to hava actually been getting better in the last couple of years. Or Microsoft seems to at least be trying. Adobe doesn't seem to care.

Re:Flashblock (5, Insightful)

Tubal-Cain (1289912) | about 5 years ago | (#29998902)

They seem to have surpassed Microsoft in their zeal to get your PC infected...

And considering that they have more marketshare than Microsoft, they can actually pull it off.

Re:Flashblock (1)

Frosty Piss (770223) | about 5 years ago | (#30000728)

Adobe doesn't seem to care.

It's not the only thing they don't care about.

When will they come out with Photoshop / Image Raedy for Linux? No market? Bullshit.

Basically, a wink wink nod nod with the money men @ Microsoft and Apple.

Re:Flashblock (0)

Anonymous Coward | about 5 years ago | (#30001340)

no wonder i didn't spec the adobe stuff anymore.

they're mean to people as well so stuff them.

the next rung down from the mpaa

Re:Flashblock (1)

ozmanjusri (601766) | about 5 years ago | (#30002838)

They seem to have surpassed Microsoft in their zeal to get your PC infected;

Is this any better/worse than the Remote Code Execution [nai.com] vulnerability in Silverlight last month?

And a general question to Slashdot. Is the current proliferation and duplication of interactive web platforms (Flash, Silverlight, HTML5 etc) with the resultant increase in surface area for vulnerabilities better or worse than a monoculture?

Would we all be better off just pushing for a single web platform?

Re:Flashblock (4, Informative)

deuterium (96874) | about 5 years ago | (#29999120)

Being a Director developer, there are some things Director can do that Flash can't:

Control embedded PDF files
Manipulate bitmaps
Create 3D scenes with physics
Make network calls through proxy servers
Access/Modify system resources
Wider range of media support

Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.

Re:Flashblock (4, Insightful)

ais523 (1172701) | about 5 years ago | (#29999318)

Being a Director developer, there are some things Director can do that Flash can't:

Make network calls through proxy servers
Access/Modify system resources

Director is actually capable of more than Flash, it just never caught on as well with developers. The mob rules, though.

This may be nice for a developer, but for a user, this is really scary.

Re:Flashblock (0)

Anonymous Coward | about 5 years ago | (#30000470)

Being a Director developer, there are some things Director can do that Flash can't: Control embedded PDF files Manipulate bitmaps Create 3D scenes with physics Make network calls through proxy servers Access/Modify system resources Wider range of media support

All things an end user could generally care less about if they're not playing games.

Re:Flashblock (1)

EXrider (756168) | about 5 years ago | (#30000588)

Question... why to this day does Adobe STILL not have some kind of unified server update solution for business networks? Sure, as an admin, I can roll my own scripts together to get it done, but with the frequency required lately, it's getting really old. It drives me insane having to download and install the same CS updates on multiple machines. Acrobat Reader and Flash updates on multiple browsers and platforms is even worse.

Re:Flashblock (0)

Anonymous Coward | about 5 years ago | (#29999352)

It is not Flash Player - it is Shockwave Player, and frankly I am really surprised devs still use Shockwave and people still install Shockwave Player.

The only reason to use Shockwave in the past was that it was scriptable. Flash has been scriptable since version 5.

WEB Ex?!?

Re:Flashblock (0)

Anonymous Coward | about 5 years ago | (#29999934)

Quick, someone make ShockBlock.

I don't think there is a Linux version so I guess I'm missing out on all the fun.

Re:Flashblock (1)

TheDarkener (198348) | about 5 years ago | (#30000136)

Sounds like a personal problem to me...

Oh, SHOCK block.

Re:Flashblock (2, Insightful)

CSMatt (1175471) | about 5 years ago | (#30000842)

Flashblock puts a placeholder in front of Flash, Shockwave, Authorware, Java, and Sliverlight.

Re:Flashblock (0)

Anonymous Coward | about 5 years ago | (#30001384)

Flashblock recently blocked a director applet for me, i was rather surprised as I had long suspected that director was completely dead and no one touched the thing any more, it doesn't matter anyway, being on linux i couldn't use the shockwave applets even if i wanted to.
Shockwave, when i used to encounter it, seemed much faster than flash's clunky anti-aliased vectors and did 3D for gaming, i don't know what flash is capable of now but back then more complex online games were either java or shockwave based and flash was for the silly little stuff.

Remind a noob... (0)

Anonymous Coward | about 5 years ago | (#29998178)

What's the difference between Shockwave and Flash?

Or are they the same thing? If so, why two names for it?

Re:Remind a noob... (4, Informative)

Reason58 (775044) | about 5 years ago | (#29998370)

What's the difference between Shockwave and Flash?

Or are they the same thing? If so, why two names for it?

You're welcome. [adobe.com]

Re:Remind a noob... (1)

EvilBudMan (588716) | about 5 years ago | (#29998690)

I still don't get why they have two of these? Oh, I remember the Macromedia buyouts. I don't think I have Shockwave installed. I didn't think it was being used anymore.

Even Adobe can't explain Shockwave properly. (4, Informative)

Animats (122034) | about 5 years ago | (#29998810)

Even Adobe can't explain Shockwave properly.

Shockwave is a real 3D system usable as a decent game engine. At one time, it even had the Havok physics engine, but Adobe didn't keep up the payments and had to take that out. Try BMX Street Rider [swgamers.com] , which is a reasonably decent free-play game in a modest sized city. It's way ahead of the proposed hacks for doing 3D with Javascript.

What killed Shockwave for trivial applications is "LOADING..." problems. Flash can start before all the content has been loaded, because Flash has two interleaved streams, a timeline and assets. As soon as you have enough assets for the stuff needed by the timeline so far, Flash can go. So you can write Flash that starts fast and loads assets in the background.

Re:Even Adobe can't explain Shockwave properly. (2, Informative)

azav (469988) | about 5 years ago | (#30002832)

NO. Shockwave is Director content compressed for playback over the internet. Director supports xtras, much like Potoshop supports plugins. One of those plugins is a 3D environment, Flash is another. Director is a timeline based bitmap, text, video and vector animation tool with an object oriented scripting language in verbose, dot and javascript syntaxes. Director content can be played back in a standalone disk based app or through a browser that has the Shockwave plugin installed.

Director content can also stream in as needed, with a minimum of the content loading, so your comment about "LOADING..." problems is untrue.

Re:Remind a noob... (0, Redundant)

ThrowAwaySociety (1351793) | about 5 years ago | (#29998984)

What's the difference between Shockwave and Flash?

Or are they the same thing? If so, why two names for it?

You're welcome. [adobe.com]

Flash is included in every Netscape download

Ahh, that clears it up!

Re:Remind a noob... (1)

DigitAl56K (805623) | about 5 years ago | (#30000950)

From that article:

(Sometimes you might hear someone refer to "Shockwave Flash", but these are actually two different multimedia players.)

Now go look in the Firefox plugins list (Tools->Add-ons). Yeah... I wonder why people get confused..

Re:Remind a noob... (1)

azav (469988) | about 5 years ago | (#30002810)

One plays back Flash content in the browser, the other plays back Director content in the browser. Adobe bungled the user perception of this continuing in Macromedia's tradition.

But there's already a patch (2, Insightful)

pdclarry (175918) | about 5 years ago | (#29998192)

As there are over a billion computers with Windows vulnerabilities and countless other "at risk" applications that get patched regularly this doesn't sound like a situation all that out of the ordinary. And as with Windows some users will update and some will remain at risk.

Let's Clear the Confusion off the bat (-1, Redundant)

al0ha (1262684) | about 5 years ago | (#29998256)

This is not related to Flash Player, this is in regards to Shockwave Player.

Frankly I am really surprised devs still use Shockwave and people still install Shockwave Player. I have not installed Shockwave player in years and never missed it.

The only reason to use Shockwave in the past was that it was scriptable. Flash has been scriptable since version 5

Re:Let's Clear the Confusion off the bat (4, Funny)

Joe Snipe (224958) | about 5 years ago | (#29998318)

First dupe articles, now dupe posts! [slashdot.org]

Re:Let's Clear the Confusion off the bat (0)

Anonymous Coward | about 5 years ago | (#29999878)

with dupe jokes, and dupe +5 mods.

and finally a dupe commenting on all the dupes from top to bottom.

surely there must be something original...

"You're very clever, young man, very clever", said the old lady. "But it's DUPES all the way down!"

Re:Let's Clear the Confusion off the bat (1)

selven (1556643) | about 5 years ago | (#30000834)

with dupe jokes, and dupe +5 mods.

and finally a dupe commenting on all the dupes from top to bottom.

surely there must be something original....

"You're very clever, young man, very clever", said the old lady. "But it's DUPES all the way down!"

Just in case... (1)

Borommakot_15 (1259510) | about 5 years ago | (#29998270)

I went ahead and updated, just in case, before too many /. readers do, all at once. =P

Re:Just in case... (4, Informative)

clone53421 (1310749) | about 5 years ago | (#29999088)

I did too – then I realized that I didn't have Shockwave in the first place. I had Flash, which is different. Now I'm considering uninstalling Shockwave again, because I didn't need it before and I don't expect to need it in the future.

Are you sure you had it to begin with?

"Shockwave Flash" is Flash (plays .swf files). "Shockwave for Director" is Shockwave (uses .dcr files).

Yes, it's confusing. You can thank Adobe for that.

Government (0)

Idiomatick (976696) | about 5 years ago | (#29998288)

Is he worried the gov will abuse this hole? If not I fail to see what makes it especially sobering. If it were a client->server hole that would be a problem of course.
Not that I support anything adobe makes aside from photoshop anyways...

Re:Government (4, Informative)

John Hasler (414242) | about 5 years ago | (#29998654)

> Is he worried the gov will abuse this hole?

No. He's worried that that the government is going to make their data inaccessible to anyone who doesn't install a useless piece if junk that would make their computer insecure.

Re:Government (1)

Culture20 (968837) | about 5 years ago | (#30001736)

Back when there was a serious MS excel bug, there was a State agency website in Iowa(?) that was serving up an infected xls file for some semi-important accounting thing.

Does this really need to be discussed? (1)

BattleApple (956701) | about 5 years ago | (#29998294)

You could pretty much take any two security issue threads on here, swap the comments section, and never know the difference.

Software has bugs.
Some of them are security issues.
They get discovered.
They (usually) get fixed.

What's there to talk about?

Re:Does this really need to be discussed? (2, Funny)

ColdWetDog (752185) | about 5 years ago | (#29998382)

What's there to talk about?

Sex? Cars? Come on, I'm sure we can think of something.

Re:Does this really need to be discussed? (1)

Yvan256 (722131) | about 5 years ago | (#29999066)

Sex in cars? Sexy cars? Car-on-car sex?

The possibilities are a bit limited if you only give us two options.

no MSI installer yet (2, Informative)

Rob Bos (3399) | about 5 years ago | (#29998302)

As of posting, there's no MSI installer for the new version yet, and the .exe installer doesn't seem to support silent installs.

http://www.appdeploy.com/packages/detail.asp?id=1438 [appdeploy.com]

Re:no MSI installer yet (1)

gad_zuki! (70830) | about 5 years ago | (#29998768)

Big deal. Wrap it in an AutoHotKey script, make it invis, whatever you want. Admins who wait for MSIs are pretty lazy or dont know scripting.

Re:no MSI installer yet (1)

idontgno (624372) | about 5 years ago | (#29998820)

Admins who wait for MSIs are in a systems management regime that requires MSI installs.

FTFY.

Re:no MSI installer yet (4, Informative)

clone53421 (1310749) | about 5 years ago | (#29999114)

So? This isn't Flash. You don't need it to visit 95% of the web. You hardly ever need it – I didn't even have it installed.

Check the add-ons; if you don't have "Shockwave for Director", it isn't even installed. "Shockwave Flash" is the flash player (not Shockwave).

Hard to care anymore (5, Interesting)

belthize (990217) | about 5 years ago | (#29998320)

I find it harder and harder to really give a shit anymore. All of our systems (linux, Windows ,OSX) all have various automatic patching schemes. Once the vendor gets around to fixing their crap (Adobe in this case) we'll ingest the patch and move on.

Once upon a time I monitored the various security announcement lists but ultimately it didn't matter. Most of this crap has become mission critical so turning it off isn't an option, fixing it yourself is rarely and option so you're left with wait and patch solution.

I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues.

Re:Hard to care anymore (4, Insightful)

BitZtream (692029) | about 5 years ago | (#29998652)

As a dev, autoupdates are evil. It's great if the updates don't change the behavior of whatever is being updated, but it sucks ass when those updates break or as MS is so fond of, remove functionality.

I've spent the last two months straight dealing work arounds for MS patches that have done this and are rolled out across 15k machines overnight.

Autoupdates are dangerous things. You get unexpected changes with no apparent reason. You have become the beta tester for software companies, and it's become accepted since they will patch it later. Hell, video game consoles are now rolling out buggy games sooner than they should because they can 'patch them later'

how about we up our standards a luittle instead and start requiring better engineering instead of treating updates as acceptable and normal

Re:Hard to care anymore (1)

belthize (990217) | about 5 years ago | (#29998752)

I started to clarify in my initial post but didn't feel like it. We don't *autopatch* anything. We apply applicable patches after testing.

It doesn't change the initial point about not really stressing about announced vulnerabilities. Nothing I can do till they get around to patching it, at which point we'll test and release, though not in this case since we blessedly have no shockwave reqs.

Re:Hard to care anymore (0)

Anonymous Coward | about 5 years ago | (#30000380)

Where I work we delay auto patching for up to 2 weeks (in which time people have a chance to fix/patch/change there systems, After which time every machine gets the patch if it is security related no matter how hard the devs or business people whine. The simple fact is a breach of corporate data through a known vulnerability has far reaching privacy, legal and financial costs that don't come close to the inconvenience or loss of money from downtime for a bad patch. I am happy to finally work at an organisation that doesn't treat their customers data and corporate data security as a second rate citizen.

Re:Hard to care anymore (1)

tacokill (531275) | about 5 years ago | (#30001648)

how about we up our standards a luittle instead and start requiring better engineering instead of treating updates as acceptable and normal

Which option do you think costs less?
There's your answer.

Re:Hard to care anymore (1)

HomelessInLaJolla (1026842) | about 5 years ago | (#30001798)

You have become the beta tester for software companies

At one time that was a defining difference between corporate produced software and enthusiast software. Paying for the software was theoretically covering the cost of beta testers (and corporate cruft). Using freeware, trialware, crippleware, shareware, etc. was a sign that you might be interested in assisting the programmer(s) in working out bugs.

how about we up our standards a little

For entertainment software that idea went out the window about twenty years ago. For enterprise software that idea went out the window about thirty years ago. Corporate profit margins have ensured that software quality has been on a degenerating spiral. New languages, new fads, new hardware, new advertising, whizz-bang effects and whoa! cool! graphics have been nothing but a coverup for complete loss of useability and functionality and notoriously inflated price.

Think about it within the context of the dot com bubble. Think about the dot com bubble in the realm of multibillion dollar investing brokerages. Create a complimentary timeline of government tax subsidies and industry bailouts. Might as well have a concomittant look at the military campaigns that have been staged across the globe in the last forty years.

Create debt. Maintain debt. Keep people in debt. Work them for everything they're worth. Human lives reduced to expendable batteries. Enormous glaring software deficiencies and exploits are nothing more than a margin note of logical fallout.

There is a solution. You will not like it. Leave everything behind and follow me--the alternative is to resign yourself to being just another battery in that system for someone else's greater profit. Jesus Christ was not lying and his analysis of the greater functionality of society is as true today as it was two thousand years ago.

Re:Hard to care anymore (1)

maztuhblastah (745586) | about 5 years ago | (#30002446)

As a dev, autoupdates are evil. It's great if the updates don't change the behavior of whatever is being updated, but it sucks ass when those updates break or as MS is so fond of, remove functionality.

Autoupdates are dangerous things. You get unexpected changes with no apparent reason

It doesn't have to be that way... [debian.org]

Come, friend... come and try stable. We'll treat you right.

the joy of learned helplessness (1)

epine (68316) | about 5 years ago | (#29999652)

Would you believe, that's the second biggest rootkit I've ever seen?

I guess it's kind of free'ing. I no longer stress about it and focus on more relevant issues

Pretty much where I'm at while I continue to throw good coin at my local robocall entitlement company and diligently recycle dead trees hand delivered by my local robomail entitlement crown corp. There used to be a number of disposable single blade razors that worked well for me, all since driven out of the market. Now I lease my triple-blade manhood from Warren Buffett at triple the price.

Ah yes, the old "and loving it" trick.

NoScript (0)

Itninja (937614) | about 5 years ago | (#29998392)

That will take the "or even Mozilla Firefox" right out of there. Never use a browser developed by an organization that makes it's money directly from pushing ads on you. They disallow plug-ins like this.

If you get an error installing Shockwave... (3, Informative)

ThreeGigs (239452) | about 5 years ago | (#29998450)

If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.

Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

Alternatively you can save a copy of the edited boot.ini, set the attribs to +r +a +s +h, and rename as necessary in case (read: when) you need to disable DEP again in the future.

I figure a lot of users are going to have this problem (again), as Adobe still hasn't fixed this bug.

Re:If you get an error installing Shockwave... (3, Informative)

WD (96061) | about 5 years ago | (#29998588)

If the act of simply installing the software relies on violating DEP, do you think that perhaps may be an indication about the quality of the code itself? It may be time to think twice about whether you want it on your system. Uninstalling is probably easier and safer.

Re:If you get an error installing Shockwave... (5, Informative)

Anonymous Coward | about 5 years ago | (#29998598)

Ummm, why not use the simple right-click "my computer" and turn DEP off (or just add a DEP exception) instead of editing a text file?

If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.

Re-edit boot.ini to re-enable Data Execution Prevention, and reboot once again.

Re:If you get an error installing Shockwave... (2, Informative)

ThreeGigs (239452) | about 5 years ago | (#29999336)

Been there done that, and DEP status doesn't change unless a reboot happens. And if you've got DEP set to optin in boot.ini, it'll always re-enable itself. Yes, there are other ways to change it, but I always preferred to go directly to the root.

Re:If you get an error installing Shockwave... (1)

yuhong (1378501) | about 5 years ago | (#30002846)

Except that this boot.ini way to disable DEP disable DEP for ALL APPLICATIONS!

Re:If you get an error installing Shockwave... (4, Informative)

Anonymous Coward | about 5 years ago | (#29998600)

And I want to run an application that executes in its data area why?

It would be different if the installer intentionally used some sort of self modifying code system.

But the only possible explanation for why a Shockwave updater fails to run with DEP enabled, is that at least one of its threads is doing some sort of buffer overrun and running off into the woods. It just usually doesn't break things bad enough to make the installation fail, unless DEP actually stops the thread.

Not exactly the type of program I want to be running on my computer.

Re:If you get an error installing Shockwave... (1)

Spad (470073) | about 5 years ago | (#29999908)

Sophos AV's heuristics scanning (HIPS) goes mental when you try and install Shockwave; it gets flagged as suspicious behaviour and a buffer overrun risk (Incidentally, Adobe Reader is the same).

Re:If you get an error installing Shockwave... (1)

lennier (44736) | about 5 years ago | (#30000440)

"And I want to run an application that executes in its data area why?"

If it's using any kind of virtual machine with a dynamic languge and a just-in-time compiler (like Forth or Lisp or maybe an efficient implementation of Javascript), it might need to compile bytecode to x86 code and then execute it. How else are we going to implement these languages? "Nobody needs a dynamic language with incremental compilation, everyone should have separate run and compile phases" isn't really a long-term answer.

Re:If you get an error installing Shockwave... (0)

Anonymous Coward | about 5 years ago | (#30000600)

Maybe by flagging the allocated memory als executable?

Re:If you get an error installing Shockwave... (1)

John Hasler (414242) | about 5 years ago | (#30000934)

> How else are we going to implement these languages?

Via interpreters.

Re:If you get an error installing Shockwave... (1)

blincoln (592401) | about 5 years ago | (#30001186)

And I want to run an application that executes in its data area why?

There are two kinds of "DEP" in Windows - hardware DEP, and software "DEP". The software "DEP" is not literally "data execution prevention", it involves blocking the use of exceptions which aren't registered in a global table, or something along those lines. Yes, software that violates it is probably not great, but sometimes an alternative isn't available.

Re:If you get an error installing Shockwave... (1)

tokul (682258) | about 5 years ago | (#29998688)

If you're having problems installing the updated Shockwave player, it may be because you have Data Execution Prevention enabled.

Even Windows thinks that Shockwave is malware. :)

Holy crap! When did linux get here? (1)

Petersko (564140) | about 5 years ago | (#29998790)

To disable:
Look in the root of your C: drive for boot.ini.
Start a command line. Attrib c:\boot.ini -r -a -s -h
Edit boot.ini (In notepad)
Look for "noexecute=optin" and change it to "noexecute=AlwaysOff" (don't add or remove any spaces, line breaks, etc)
Save boot.ini.
In the command window type attrib c:\boot.ini +r +a +s +h
Reboot. DEP is now disabled.
Install the Shockwave Player update.


If I hadn't looked closely I would have assumed this was a relatively painless set of steps an end user would need for doing some workaround in linux.

Actually, adobe has pissed me off many times. Shockwave, in particular, is a bitch to remove because Adobe gets all funky with file permissions - unnecessarily.

Re:If you get an error installing Shockwave... (1)

Hurricane78 (562437) | about 5 years ago | (#29999444)

I have no C:, you insensitive clod!

(I have a root though.)

Re:If you get an error installing Shockwave... (1)

mister_playboy (1474163) | about 5 years ago | (#29999616)

If you have WINE, you could use "Z:"... :)

Re:If you get an error installing Shockwave... (0)

Anonymous Coward | about 5 years ago | (#30000066)

love that!
makes installing binary blob drivers in debian sound like a breeze

Re:If you get an error installing Shockwave... (1)

operagost (62405) | about 5 years ago | (#30000482)

So... why are you removing the "archive" attribute? Just like that doing that spells the word "rash"?

Re:If you get an error installing Shockwave... (1)

EXrider (756168) | about 5 years ago | (#30000726)

It needs to execute code from the data segment to install!? What a piece! Just un-install it and be done with it.

dumb users (1)

xxuserxx (1341131) | about 5 years ago | (#29998570)

To me this just seems like user stupidity. You can have your computer hijacked a million different ways however if you pay attention to what you click you can avoid most.

Re: user stupidity (1)

Dystopian Rebel (714995) | about 5 years ago | (#29998694)

It is much easier to patch 700 million PCs than it is to make stupid people smarter.

And we're clearly not doing such a good job of patching 700 million PCs.

China, North Korea, and even Iran's (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#29998898)

Firewall will have more uses than is obvious. While you can keep citizens from contacting others, you can also launch an attack on systems the world over and yet, protect your systems. I hope that the western nations are thinking this through.

Government not using Shockwave... ? (1)

CannonballHead (842625) | about 5 years ago | (#29998922)

Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

Adobe is pushing for Flash and PDF... not Shockwave and PDF...

Re:Government not using Shockwave... ? (1)

John Hasler (414242) | about 5 years ago | (#29999008)

So? It's still ridiculous to use it on such a site.

Re:Government not using Shockwave... ? (1)

CannonballHead (842625) | about 5 years ago | (#29999154)

I agree. I'm saying the summary is incorrect.

Re:Government not using Shockwave... ? (0)

Anonymous Coward | about 5 years ago | (#29999330)

What's incorrect? The summary is suggesting that Adobe, who make Shockwave, may not be qualified to make other software, Flash and Acobat, that would become mandatory for government access.

Re:Government not using Shockwave... ? (1)

CannonballHead (842625) | about 5 years ago | (#30000804)

It sounded like the summary is trying to say Adobe was pushing for Shockwave to be mandatory for government-kept information access.

No adobe shit, thank you! (0)

Anonymous Coward | about 5 years ago | (#29999038)

Not on my computer.

Are their FOSS alternatives to Flash and Shockwave (1, Interesting)

AP31R0N (723649) | about 5 years ago | (#29999044)

1) Are there FOSS alternatives to Flash and/or Shockwave?

2) Why(not)?

3) If there was, would it help reduce problems like this?

Please don't mod me as trolling for asking questions!

Re:Are their FOSS alternatives to Flash and Shockw (3, Informative)

supersloshy (1273442) | about 5 years ago | (#29999324)

Google Gnash and Swfdec; they're coming along nicely, but aren't 100% replacements as of yet.

Re:Are their FOSS alternatives to Flash and Shockw (1)

AP31R0N (723649) | about 5 years ago | (#29999630)

Thanks, i've added those to my Del.ico.us for later investigation. :)

Re:Are their FOSS alternatives to Flash and Shockw (2, Informative)

slimjim8094 (941042) | about 5 years ago | (#29999384)

1. Yes/no.
2. See above. Nobody cares about Shockwave, though.
3. Yes.

It's called Gnash. See http://www.gnu.org/software/gnash/ [gnu.org]
There's also a few others, such as http://swfdec.freedesktop.org/wiki/ [freedesktop.org] . Gnash is probably better.

Re:Are their FOSS alternatives to Flash and Shockw (2, Interesting)

TheDarkener (198348) | about 5 years ago | (#30000022)

2. See above. Nobody cares about Shockwave, though.

Nay, say I and the (many) school districts who visit shockwave-only educational sites. Not having Shockwave Director available on Linux has cost me clients. Talk about a slap in the face for trying to give schools a break by using good software, because they are too attached to bad software..

Simlpe dont use any adobe products (2, Funny)

hesaigo999ca (786966) | about 5 years ago | (#29999052)

I just dont use adobe products anymore, either flash, or shockwave, are too seriously integrated into our pcs, that when the day comes that skynet is self aware, that will be the first application it looks to to take over all pcs around the world....have we not learned anything from terminator?

Re:Simlpe dont use any adobe products (1)

brkello (642429) | about 5 years ago | (#30000784)

If you think about it, this is a good thing. Skynet will probably have some adobe products on it somewhere which we can use to hack in to it and disable it, thus saving us all. Adobe has been protecting us from skynet since its inception.

Easy, permanent solution (0)

Anonymous Coward | about 5 years ago | (#29999158)

Download the Shockwave software and run the UNinstall script.

People still use Shockwave? (1)

dandart (1274360) | about 5 years ago | (#29999372)

I'm a Linux user, you insensitive clod!

Re:People still use Shockwave? (1)

vtcodger (957785) | about 5 years ago | (#29999698)

***I'm a Linux user, you insensitive clod!***

Well, maybe Shockwave will run in WINE. Or VMplayer, vbox, or qemu. There must be 50 ways to get your Linux PC infected with Windows malware if you'd just try.

Re:People still use Shockwave? (1)

dandart (1274360) | about 5 years ago | (#30000084)

Woo hoo! My first virus! Ah, I do remember the good old days of nothing being what you expect... I miss all the "You got a virus" notifications...

Here are the shockwave stats - could be a problem (5, Informative)

Anonymous Coward | about 5 years ago | (#29999618)

Ok, I just compiled some stats on Shockwave version plugin distribution using roughly 30 million unique data points from July 1 of this year until about a week ago - here is roughly the distribution (includes IE/FF/etc. - all major browsers):

Not installed => 67.54%
11,0,0,0 => 2.86%
10,2,0,0 => 2.84%
10,1,0,0 => 2.59%
11,0,0,465 => 2.41%
11,5,0,0 => 2.05%
11,5,1,601 => 1.90%
8,5,1,0 => 1.75%
10,1,4,0 => 1.73%
11,0,0,429 => 1.58%
11,0,3,472 => 1.56%
10,1,1,0 => 1.53%
11,5,0,596 => 1.46%
11,5,0,600 => 1.38%
11,0,3,471 => 1.35%
11,5,0,595 => 1.21%
11,0,0,458 => 0.93%
10,3,0,0 => 0.78%
11,0,3,470 => 0.66%
8,0,0,0 => 0.43%
10,1,3,0 => 0.37%
8,5,0,0 => 0.32%
11,0,3,0 => 0.23%
10,0,0,0 => 0.16%
10,0,1,0 => 0.11%
7,0,0,0 => 0.10%
11,5,1,0 => 0.08%
10,4,0,0 => 0.04%
6,0,0,0 => 0.03%

What is potentially troubling is that there does not appear to be much in the way of upgrade movement in Shockwave installs. So if "Adobe Shockwave Player versions prior to 11.5.2.602" are truly at risk, we are talking about 30% of web users roughly.

I will publish a more in-depth report later today here: http://www.statowl.com/ [statowl.com] in the plugin section [statowl.com] . I have been neglecting that site anyways - time to update the stats - the past three month are absent - sigh....

Re:Here are the shockwave stats - could be a probl (0)

Anonymous Coward | about 5 years ago | (#29999930)

what exactly does "upgrade movement" mean?

Re:Here are the shockwave stats - could be a probl (1)

caffeinejolt (584827) | about 5 years ago | (#29999984)

what exactly does "upgrade movement" mean?

That means that it would appear shockwave users do not frequently upgrade. They probably had to install the plugin to view something and then they forget about it. In this case, this may leave more people open to attack.

This is not the same thing as flash player... (1)

mario_grgic (515333) | about 5 years ago | (#29999946)

IF you look in Firefox add-ons/plugins it will be listed as

"Shockwave for Director 11.5.2.602"

whereas regular flash player is listed as

"Shockwave Flash 10.0.32.18"

I don't think 450,000,000 desktops out there have a shockwave player installed? I doubt it is that popular.

Anyone else have a problem after updating? (1, Interesting)

Anonymous Coward | about 5 years ago | (#30000040)

Rolled this out to a small lab (you know how students are, and where they can go, better safe than...).

After installation, *all* users are asked to individually install another component when the Shock embed in the open page attempts to play (which as non-admins, they can't do). Since several of our teaching programs Shockwave this presents a real PITA.

Previously there was no such behavior. Any ideas?

Re:Anyone else have a problem after updating? (1)

oDDmON oUT (231200) | about 5 years ago | (#30002302)

Try going somewhere with a shockwave embed as an admin, let the install mechanism do it's download happy dance, then have someone with user privileges do the same. I think you'll find that the problem is solved.

*Title double-take* (1)

JeanPaulBob (585149) | about 5 years ago | (#30000700)

Oh, so this isn't a story about astronomy... what a relief!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?