October 8, 2002

Shockwave Security updates

On September 9th, Macromedia quietly released a new version of the Shockwave for Director player to address recently uncovered security vulnerabilities in both the Flash Asset Xtra and NetLingo. Note that the updated Flash Player was pushed out a month prior. Macromedia continues to follow the "better safe than sorry" convention of advising all users to upgrade, and in fact, if you've enabled automatic updating then you may already have this latest version.

Full details can be found in the Macromedia Shockwave URL Modification Issue document on the Macromedia web site.

A few notes for developers and testers:

The new releases have build numbers of 8.5.1r105 for Mac (9.x and earlier) and 8.5.1r106 for Windows. At this writing there is no word on whether the OS X version is vulnerable to the exploit or if an updated version is forthcoming.

Currently, Macromedia's servers are supplying r102 to ActiveX users who encounter pages with codebase tags, however users who arrive at the Shockwave download page will get r106.

The Shockwave Player version history technote states that the installers have also changed. Win IE users still get the "ultra-shim" installer while non-ActiveX users get the full installer. While this makes for a shorter download for ActiveX users, everyone else gets eased functionality in exchange for their trouble in the form of the following bundled Xtras:

  • RealMedia Asset
  • QT3Asset
  • Havok
  • Animated GIF Asset
  • While these Shockwave-safe Xtras are downloaded to ActiveX users when they encounter Shockwave content requiring their use, everyone else won't be troubled and will simply see the content. Note that until Real releases the OS X version of Real Player, OS X Shockwave users will have to do without an OS X compatible RealMedia asset.

    Lastly, as the security fix patches net connection vulnerabilities, it would make sense to install the update and give your net-aware Shockwave content a once-over.

    Posted by Lewis Francis at October 8, 2002 10:29 AM

    As of tonight, October 15th, Macromedia's ActiveX update servers are now properly delivering version 8.5.1r106.

    Posted by: Lewis Francis at October 15, 2002 9:52 PM
    TrackBack URL for this entry:

    Listed below are links to weblogs that reference 'Shockwave Security updates' from Information Gift.
    Post a comment

    Remember personal info?

    Voigt-Kampf verification (needed to reduce spam):