Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on May 22nd, 2014 at 7:01 AM EDT
Yesterday, Brian Krebs announced a shocking discovery: Adobe Shockwave Player includes an Adobe Flash Player component that has not received any security fixes since January 2013! This is a very serious security failure on Adobe’s part. I won’t be surprised if Apple blocks the current version of Shockwave, as they have done with vulnerable versions of Flash and Java in the past, but don’t wait for that to happen… remove Shockwave today!
Flash Player has been updated numerous times since January 2013, and at one point in early 2013 was reported to be in active use in dropping Mac malware on vulnerable machines. (Although conclusive reports were never released, it was believed at that time to be used to infect targeted users with the Crisis, aka Remote Control System DaVinci, malware.) The fact that Shockwave’s Flash component has not been updated during that time may possibly mean that it is also vulnerable to attack, and possibly that it is already being used for such attacks.
The one saving grace here is the lack of any significant need for Shockwave. Few sites require it (I can’t recall ever encountering a site that required Shockwave), so not that many Mac users are likely to have it installed. As a general-purpose attack vector, that makes it less desirable, though it could still be used in targeted attacks by people who know their targets have Shockwave installed. At this time, there are no known attacks involving Shockwave… key word there being “known.”
If you have Shockwave installed, I strongly recommend uninstalling it immediately. I would not recommend reinstalling it, even after Adobe releases an update, but I realize not everyone will do that. If you decide to reinstall it later, be sure to keep an eye on the news and keep Shockwave updated. In addition, you should use ClickToPlugin in Safari to prevent Shockwave content from loading unless explicitly allowed to. Enable the “click to play” option in Chrome and Firefox, if you use either of those browsers, to do the same job as ClickToPlugin.
To uninstall Shockwave, use the uninstaller provided by Adobe here: