The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Uninstall Adobe Shockwave immediately!

Posted on May 22nd, 2014 at 7:01 AM EDT

warning

Yesterday, Brian Krebs announced a shocking discovery: Adobe Shockwave Player includes an Adobe Flash Player component that has not received any security fixes since January 2013! This is a very serious security failure on Adobe’s part. I won’t be surprised if Apple blocks the current version of Shockwave, as they have done with vulnerable versions of Flash and Java in the past, but don’t wait for that to happen… remove Shockwave today!

Flash Player has been updated numerous times since January 2013, and at one point in early 2013 was reported to be in active use in dropping Mac malware on vulnerable machines. (Although conclusive reports were never released, it was believed at that time to be used to infect targeted users with the Crisis, aka Remote Control System DaVinci, malware.) The fact that Shockwave’s Flash component has not been updated during that time may possibly mean that it is also vulnerable to attack, and possibly that it is already being used for such attacks.

The one saving grace here is the lack of any significant need for Shockwave. Few sites require it (I can’t recall ever encountering a site that required Shockwave), so not that many Mac users are likely to have it installed. As a general-purpose attack vector, that makes it less desirable, though it could still be used in targeted attacks by people who know their targets have Shockwave installed. At this time, there are no known attacks involving Shockwave… key word there being “known.”

If you have Shockwave installed, I strongly recommend uninstalling it immediately. I would not recommend reinstalling it, even after Adobe releases an update, but I realize not everyone will do that. If you decide to reinstall it later, be sure to keep an eye on the news and keep Shockwave updated. In addition, you should use ClickToPlugin in Safari to prevent Shockwave content from loading unless explicitly allowed to. Enable the “click to play” option in Chrome and Firefox, if you use either of those browsers, to do the same job as ClickToPlugin.

To uninstall Shockwave, use the uninstaller provided by Adobe here:

http://helpx.adobe.com/shockwave/kb/download-shockwave-stand-alone-installer.html

Tags: , ,


24 Comments

  • Lee Maxwell says:

    I have Shockwave Flash 13.0 r0 13.0.0.214 plugin installed in Firefox. Is this the same thing? If I uninstall this, will I lose the ability to view Flash videos or see Flash content? Please advise ASAP

    • Thomas says:

      Yes, that’s what you need to uninstall. Shockwave is not needed to view Flash content… you should use Adobe Flash Player for that.

  • Clinton says:

    Thomas,

    Thanks for the heads-up. I had Shockwave installed because it’s needed to run NetFlix movies on your computer – but I gave up on NetFlix just today – the 23rd – because my expiry date is tomorrow, the 23rd!

    I uninstalled it and used EasyFind to find the remnants left behind and now I’m ‘clean’ – now just have to do a couple of ‘clean’ clones!

    Thanks,

    Clinton

    • Clinton says:

      Oops – I should have said that “I believe” that you need Shockwave to watch Netflix videos and that I gave up on Netflix on the 22nd, not the 23rd – that’s just the date that my contract expires!

      Clinton

    • Thomas says:

      I’m not a Netflix subscriber, but according to the Netflix site, they require Microsoft Silverlight, not Shockwave. Is it possible that it used to require Shockwave at one point, or that that page is incorrect?

  • MurcoRJ says:

    Sorry, just wanted clarification whether this included adobe flash player? Done a search on my mac for shockwave and nothing pops up. I do have the flash player though.

  • aa says:

    >>I have Shockwave Flash 13.0 r0 13.0.0.214 plugin installed in Firefox. Is this the same thing?

    No it is not. That’s Flash Player.

    >>>Yes, that’s what you need to uninstall.

    Not true : shockwave player is only at Version 12.1.1.151

  • aa says:

    This is how FlashPlayer is identified in Firefox :

    Shockwave Flash

    File: Flash Player.plugin
    Path: /Library/Internet Plug-Ins/Flash Player.plugin
    Version: 13.0.0.214
    State: Enabled
    Shockwave Flash 13.0 r0

    MIME Type Description Suffixes
    application/x-shockwave-flash Shockwave Flash swf
    application/futuresplash FutureSplash Player spl

    and in Safari :

    Shockwave Flash
    Shockwave Flash 13.0 r0 — from file “Flash Player.plugin”.
    MIME Type Description Extensions
    application/futuresplash FutureSplash Player spl
    application/x-shockwave-flash Shockwave Flash swf

    Just because it says Shockwave doesn’t mean that it’s the Shockwave Player.

    • Al says:

      aa is correct. It’s always caused a bit of confusion and I don’t know why it get’s identified that way.

      I abandoned Shockwave itself about a year ago when I switched computers, waiting to see if I would ever encounter a web site that required it. I haven’t found one yet.

  • Melissa says:

    Judging from the responses above, I think there may be some confusion between Adobe Shockwave as a program vs. an internet plug-in. For example, I have Adobe Flash installed on my system. When I glanced at my “installed plug-ins” list in Safari, it shows “Shockwave Flash.” This leads me to believe that I have the problem program described above, right?

    After digging around on Adobe’s site, I found this support page for Shockwave, which allows you to “test” your browser to see what version of Shockwave you have: http://helpx.adobe.com/shockwave.html . My results said that Shockwave Player was either “disabled or not installed” on my system.

    So, program or plug-in? Or both?

    • Al says:

      Adobe Shockwave Player is only a plug-in. That’s what is being discussed here. In order to produce Shockwave content one would purchase Adobe Director, the application, which I has not yet been identified as sharing this problem.

  • Jay says:

    Yeah, it seems that the browser plug-in Shockwave is different than the actual Shockwave.

    This is Adobe Flash Payer as a browser plug-in:
    Name: Shockwave Flash
    Description: Shockwave Flash 13.0 r0
    Version: 13.0.0.214
    Location: /Library/Internet Plug-Ins/Flash Player.plugin

    • Thomas says:

      Yup, after looking into it, I see that the Flash Player plugin is called “Shockwave” in certain views. I apologize for the error earlier… I haven’t actually had Flash installed in quite some time. I prefer not to let such things have a systemwide toehold on my machine. On those rare occasions that I need Flash, I turn to Chrome, which includes its own copy of Flash and which I use for pretty much nothing else.

  • deodato says:

    Hi, here is a site needing Shockwave to run : http://www.iSketch.net, a very amazing and addictive game of drawings in line, with many players worldwide. But Shockwave did not update for Mavericks, so some players quitted, some installed a Windows partition to keep on playing. Will they be affected ?

    • Thomas says:

      That site appears to require Flash, not Shockwave. As has been pointed out in the comments, the distinction can be a bit confusing at times, due to odd naming conventions chosen by Adobe. However, that site functions fine in Chrome without Shockwave installed, so it should not be affected by removing Shockwave.

  • Charles says:

    In my previous post, I shewod Three versions of Shockwave Flash. I just found another plugin listed separately from the other three. I am totally confused as to which ones to disable and which one to enable. The following is the fourth entry. (See the others in my December 7, 2012 at 11:04 post).Adobe Shockwave Player Version: 11.6.8r638Adobe Shockwave for Director Netscape plug-in, version 11.6.8Name:Shockwave for DirectorDescription:Adobe Shockwave for Director Netscape plug-in, version 11.6.8Version:11.6.8r638Location:/Library/Internet Plug-Ins/DirectorShockwave.pluginType:NPAPI DisableMIME types:MIME typeDescriptionFile extensionsapplication/x-directorShockwave for Director.dcr.dir.dxrGD Star Ratingloading…

  • Disgusted says:

    Can one of you geniuses clarify EXACTLY what we should be uninstalling, so a third grader can actually understand it?

    • bentkitty100 says:

      If you’re an actual third grader, I commend you for caring about computer security at your age. If you’re not a third grader, I commend you for using the third-grader metaphor as it’s an excellent reference point for instructions like these. And I most definitely agree that someone should be a bit more clear about this — while I don’t have any of this stuff on my computer, I know that others do.

  • tj says:

    I agree, this is getting ridiculous. I am trying to fix a friend’s Mac (I am a PC user, but glean much helpful info from this site – thanks Thomas & friends!) and although pretty savvy, would like to know – Shockwave Flash 13.0.0.214 – yes or no-pretty sure this just Adobe Flash? It is already set to “ask to activate” in Add-ons mgr Plug-Ins, which, btw, will set “true” in about:config
    Thanks!!
    p.s. what is equivalent of Malwarebytes for MAC?

    • Thomas says:

      I don’t use Flash myself these days, so I cannot comment about the specific differences in how Flash and Shockwave present themselves to the user. If you’re in doubt, just remove it and then reinstall Flash Player from Adobe’s site, if necessary:

      http://get.adobe.com/flashplayer

      As for your question about anti-virus software for the Mac, see my Mac Malware Guide.

  • ChitlinsCC says:

    Thomas, et al

    Here some links to my take on this subject on ASC

    First, a treatise on the distinction:
    https://discussions.apple.com/message/26287204#26287204

    Next, the reason that Mavericks does not play well with Shockwave Flash (Flash used to BE FutureSplash before Macromedia bought it as a vector graphics solution to bandwidth limits in the old days)
    https://discussions.apple.com/message/26287204#26287204

    At the end seems to be Apple recent (VERY) answer to the issue.

    best regards
    ChitlinsCC (AppleID)

  • ChitlinsCC says:

    Thomas

    the SECOND LINK should be
    https://discussions.apple.com/message/26287951#26287951

    Sorry forgot to use Clipple Paste

  • Tabbernackle says:

    YES. definitely uninstall immediately. I have first hand experience. its nightmare. it took me a few months to find the backdoor that was installed via the Plugin (essentially) its just a remote control. the hackers (whom ever they be) attach a very efficient listener that WILL find an open port and exploit the hell out of whatever its looking for. in my case it was through my cable modem into my DVR and eventually starting a hell storm that has absolutely ruined me as a person. ive just completed months of my own research to find out how this was done. its absolutely incredible. i can provide details if anyone is truly interested but please for the sake of your mental health REMOVE THIS NOW.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.