Adobe has released an update for Shockwave to patch security vulnerabilities. A security bulletin was released today.
As usual Adobe is giving enterprise admins the finger by advising that in order to upgrade Shockwave, you must first uninstall old Shockwave versions, reboot and then install the new version of Shockwave. Does anyone actually do that? I don’t know about anyone else, but I try to minimize the disruption of my patching program. Part of that is limiting reboots. I can’t think of another application that makes such unreasonable demands. Fortunately I’ve ignored rebooting while upgrading Shockwave and it hasn’t caused me any major issue yet.
I also wonder where Shockwave fits into Adobe’s security program. If it’s so important that Adobe Reader only be upgraded on a planned quarterly basis, then why isn’t Shockwave updated in the same predictable manner? (BTW, I don’t find it helpful to have all my patches released on the same day. I don’t find it feasible to deploy all these patches at the same time, so some items will not be patched as quickly. When a patch is released (assuming there wasn’t already a zero day) there is a mad dash by the bad guys to reverse engineer the patch, find the vulnerable code, and develop an exploit. So releasing the patches any week other than the second week would be preferable.)
If someone finds a Flash zero day next week, I’m going to think someone declared an unofficial “Month of Adobe bugs”.