Tuesday, August 24, 2010

Shockwave plugin v11.5.8, fixes 20 vulnerabilities from the past 15 weeks.

Adobe has released a version of Shockwave plugin today, Aug 24, 2010, that fixes 20 critical vulnerabilities in the plug-in: http://www.adobe.com/support/security/bulletins/apsb10-20.html. That's more than 1 vulnerability per week, since the last update of this plugin, on May 11, 2010, just 15 weeks ago. In a previous post we have some answers to common questions such as "What is Shockwave?"

Here's a timeline of the vulnerability reports that went into the latest release:
  • May 11, 2010: 
    • Shockwave 11.5.7 is released
  • Unknown date: As of Aug 24, I could not find details for these vulnerability reports: 
    • CVE-2010-2863
    • CVE-2010-2864
    • CVE-2010-2865
    • CVE-2010-2868
    • CVE-2010-2869
    • CVE-2010-2880
    • CVE-2010-2881
    • CVE-2010-2882
  • May 27, 2010
    • CVE-2010-2866
    • CVE-2010-2867
    • CVE-2010-2870 example 
  • Jun 30, 2010
    • CVE-2010-2871
    • CVE-2010-2872
    • CVE-2010-2873
    • CVE-2010-2874 example
  • Jul 7, 2010
  • Jul 20, 2010: 
  • Aug 11, 2010:  
    • CVE-2010-2877
    • CVE-2010-2878
    • CVE-2010-2879 example
  • Aug 24, 2010: 
    • Shockwave 11.5.8 is released
In this release, the plugin correctly identifies itself as v11.5.8 in Javascript, so SecBrowsing will start warning about Shockwave again, but once you update, the warning will go away.

Why update and disable plugins?
Exploits in the browser and its plugins are the most common way people's computers get malware. It happens simply by browsing to a site, without any user interaction. It can be triggered by
  • Randomly browsing the web, landing on a site that has been hacked.
  • Browsing a site that runs a malicious banner ad. The ad only needs to run for a few minutes on a popular site to get thousands of people infected.
  • Following a URL sent by a friend, whose email/IM account was compromised. This can also be a targeted attack against your organization.
Most plugins have a really bad security history, and are not required for most websites. Disabling them is many times a good option.