Posted by: Ken Harthun
Adobe, Critical update, Insecure Plugins, Patch management, Security, Vulnerabilities
Adobe’s Shockwave (this is NOT flash – flash is sometimes labeled “Shockwave Flash”) has a bucket full of vulnerabilities (11 in all). It’s not a widely used platform and I recommend you uninstall it immediately. It will be labeled simply as “Shockwave” or “Shockwave Player” and will have a version number of 11.x.x.xxx. Shockwave Flash is at version 10.x. (See image.) In this @RISK: The Consensus Security Vulnerability Alert Volume: IX, Issue: 20, May 13, 2010 article, SANS outlines the vulnerabilities:
The first issue is caused by a boundary error while processing Shockwave 3D block. The second issue is a memory corruption vulnerability caused by a signedness error while processing malicious Shockwave files. The third issue is a memory corruption vulnerability caused by an array indexing error while processing malicious Shockwave files.
. . .
The eleventh issue is caused by a signedness error while processing Director files. There are some more unspecified errors which can be exploited to cause memory corruption.
Unless you have a specific use for this plugin, just get rid of it. I found I don’t even have it, so it’s not really an issue for website functionality.