Here's a timeline of the vulnerability reports that went into the latest release:
- May 11, 2010:
- Shockwave 11.5.7 is released
- Unknown date: As of Aug 24, I could not find details for these vulnerability reports:
- May 27, 2010:
- CVE-2010-2870 example
- Jun 30, 2010:
- CVE-2010-2874 example
- Jul 7, 2010:
- CVE-2010-2875 example
- Jul 20, 2010:
- CVE-2010-2876 example
- Aug 11, 2010:
- CVE-2010-2879 example
- Aug 24, 2010:
- Shockwave 11.5.8 is released
Why update and disable plugins?
Exploits in the browser and its plugins are the most common way people's computers get malware. It happens simply by browsing to a site, without any user interaction. It can be triggered by
- Randomly browsing the web, landing on a site that has been hacked.
- Browsing a site that runs a malicious banner ad. The ad only needs to run for a few minutes on a popular site to get thousands of people infected.
- Following a URL sent by a friend, whose email/IM account was compromised. This can also be a targeted attack against your organization.
Most plugins have a really bad security history, and are not required for most websites. Disabling them is many times a good option.