October 8, 2002
Shockwave Security updates
On September 9th, Macromedia quietly released a new version of the Shockwave for Director player to address recently uncovered security vulnerabilities in both the Flash Asset Xtra and NetLingo. Note that the updated Flash Player was pushed out a month prior. Macromedia continues to follow the "better safe than sorry" convention of advising all users to upgrade, and in fact, if you've enabled automatic updating then you may already have this latest version.
Full details can be found in the Macromedia Shockwave URL Modification Issue document on the Macromedia web site.
A few notes for developers and testers:
The new releases have build numbers of 8.5.1r105 for Mac (9.x and earlier) and 8.5.1r106 for Windows. At this writing there is no word on whether the OS X version is vulnerable to the exploit or if an updated version is forthcoming.
Currently, Macromedia's servers are supplying r102 to ActiveX users who encounter pages with codebase tags, however users who arrive at the Shockwave download page will get r106.
The Shockwave Player version history technote states that the installers have also changed. Win IE users still get the "ultra-shim" installer while non-ActiveX users get the full installer. While this makes for a shorter download for ActiveX users, everyone else gets eased functionality in exchange for their trouble in the form of the following bundled Xtras:
Lastly, as the security fix patches net connection vulnerabilities, it would make sense to install the update and give your net-aware Shockwave content a once-over.Posted by Lewis Francis at October 8, 2002 10:29 AM