Shockwave uses vulnerable Flash

Also cited:
http://www.securityweek.com/us-cert-warns-three-remotely-exploitable-flaws-adobe-shockwave
http://krebsonsecurity.com/2012/12/shocking-delay-in-fixing-adobe-shockwave-bug/
http://www.kb.cert.org/vuls/id/519137

 

Adobe should know better than this. Then again, as the alert says, Shockwave has very few needed uses anymore (online games, mostly from Shockwave itself are about all I can think of right now.) It's basically a remnant of a long gone time when one actually had a need to keep multiple video players, codecs and such around.

 

Shockwave is a mess, it's also vulnerable to downgrading:
http://www.kb.cert.org/vuls/id/546769

 

For those that do not use Adobe Shockwave on a daily basis, you may uninstall until it is fully patched.

 

As Krebs said in his blog, Adobe was informed of the vulnerability in 2010. And Adobe announced they would patch it in 2013.

W.O.W.

 

Should probably just drop Shockwave support and kill it.

 

To me it basically shows Adobe knows good and well hardly anyone uses it and thus they don't particularly care. Of course, whether it's worthwhile to worry about an issue facing such rarely used software or not, once these security bulletins start getting mentioned at widely read media outlets it becomes a question also of whether it's an issue you're willing to take bad PR over. Personally, I say just get on it, get it done, and it'll be forgotten 2 weeks after the fix goes out.

 

There's not really any excuse for taking this long to patch. If they had dropped support, sure. But they haven't. So even if 5 people use it they should patch.

 

That really depends on what the problem is, it's severity, likelihood of attack and number of users. I'm not throwing weeks of man hours at this particular problem if only say, 100 users are at risk and there isn't even an exploit in the wild. Adobe screwed up in a major way by not updating Flash with Shockwave, they know better after all the hell they've taken over Flash alone. But, really, if you're an attacker, are you going to even glance at this twice?

 

Agreed If patching it is no longer a priority, they might as well declare it's death.

 

Adobe doesn't have a stellar reputation for security and patching when something breaks or when something is reported to them as being vulnerable.

 

Adobe to patch 2-year-old Shockwave vulnerability next year

Article