Date: Wed, 21 May 2014 20:26:03 -0400
From: mark <whitroth at 5-cent.us>
To: undisclosed-recipients:;
Subject: [WSFA] Why You Should Ditch Adobe Shockwave
Reply-To: WSFA members <WSFAlist at KeithLynch.net>

Excerpt:
Will Dormann, a computer security expert who writes threat advisories for
Carnegie Mellon University\342\200\231s CERT. In a recent post on the release of the
latest bundle of security updates for Adobe\342\200\231s Flash player, Dormann
commented that Shockwave actually provides its own version of the Flash
runtime, and that the latest Shockwave version released by Adobe has none
of the recent Flash fixes.

Worse yet, Dormann said, the current version of Shockwave for both Windows
and Mac systems lacks any of the Flash security fixes released since
January 2013. By my count, Adobe has issued nearly 20 separate security
updates for Flash since then, including fixes for several dangerous
zero-day vulnerabilities.

\342\200\234Flash updates can come frequently,  but Shockwave not so much,\342\200\235 Dormann
said. \342\200\234So architecturally,  it\342\200\231s just flawed to provide its own Flash.\342\200\235

Dormann said he initially alerted the public to this gaping security hole
in 2012 via this advisory, but that he first told Adobe about this
lackluster update process back in 2010.

As if that weren\342\200\231t bad enough, Dormann said it may actually be easier for
attackers to exploit Flash vulnerabilities via Shockwave than it is to
exploit them directly against the standalone Flash plugin itself. That\342\200\231s
because Shockwave has several modules that don\342\200\231t opt in to trivial exploit
mitigation techniques built into Microsoft Windows, such as SafeSEH.
--- end excerpt ---

<http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/#more-25983>

      mark