Shockwave for Director plugin downloads an exe

[Alan Baxter]

I was attempting to confirm a problem another user was having with the Shockwave for Director plugin aka Adobe Shockwave Player on hxxp://www.zeronews-fr.com/flash/pandapang.php. I've broken the link because it causes a file to be downloaded and executed. I can't tell that the link is malicious: my guess is that the plugin is confused and is attempting to update itself. I did my testing in a sandbox so it wouldn't make any changes to the rest of my system. Here the topic I was helping in: http://forums.mozillazine.org/viewtopic ... 9#p9421649

I'll leave the details to last, but here's a summary. Apparently the Shockwave Player plugin decided to update itself. It started up the Shockwave Download Module (SWDNLD.EXE) and downloaded an installation file, setup.exe, to my temp directory. It then executed setup.exe, which installed an old version of Shockwave Player. I wouldn't have known that any of this had happened if my firewall hadn't notified me that SWDNLD.EXE and setup.exe were trying to connect to the Internet or if the software installer hadn't asked for permission to download and install some additional Norton stuff. (Gotta love these third-party ride alongs, eh?) The person I was helping dismissed the installation popup as a bug in Fx 3.6.4 beta build 5 instead of realizing it was a problem with the site's use of Shockwave Player.

My concern is that the Shockwave Player plugin called by Firefox downloaded and installed a program -- an older version of itself -- without my knowledge or permission. (If it hadn't been for my software firewall and a confusing popup, that is.)

Here's are the details of what happened:
I ran Fx 3.6.3 in a clean, sandboxed profile that has no extensions installed. I enabled the Shockwave for Director plugin in the Add-ons > Plugins window. I'm using the lastest version of Adobe Shockwave Player, version 11.5.7r609.

- I loaded hxxp://www.zeronews-fr.com/flash/pandapang.php. The page has a white square with "Adobe Shockwave Player" in the middle of it. My firewall popped up a dialog telling me that Shockwave Download Module (SWDNLD.EXE) at D:\WINDOWS\system32\Adobe\Director\SWDNLD.EXE was trying to connect to pinger.macromedia.com.
- I responded OK. It downloaded the following:
File Version : 10.4.1.29
File Description : Adobe Shockwave Player (setup.exe)
File Path : D:\Sandbox\<username>\DefaultBox\user\current\Local Settings\Temp\{F774DF64-AE49-4936-94CA-353CA3AF3555}\setup.exe

It then executed setup.exe. Apparently setup.exe installed an old version of the Shockwave Player. Secunia PSI notified me that the following had just been installed:
Version Detected: 10.4.1.29
Installation Path: D:\Sandbox\<username>\DefaultBox\drive\D\WINDOWS\system32\Macromed\Shockwave 10\SwOnce.dll

setup.exe also tried to connect to stats.norton.com -- which I did not allow -- and popped up a dialog titled "Installing Shockwave Player" asking me if I would like to Include Norton Security Scan (checked by default).
- I unchecked the box and clicked the Next button at the bottom of the dialog. The dialog went away and nothing further happened.
- I clicked the reload toolbar button. The site then played the game.

If it hadn't been for my software firewall, I merely would have observed the same thing as the person I was helping. i.e. the software popped up a seemingly bogus software installation dialog but played the game OK when the reload button was clicked.

[Giorgio Maone]

This seems a well-intentioned transparent update process gone bad.
The most relevant issue, IMHO, is you ending with an older (and arguably less safe) version of the player, which hints at a buggy version checking.
Aside that, many don't like updates happening in the background with no notice, but it's apparently the route Chrome shown as the most effective to keep users safe, and the one Firefox itself seems to be taking for its future.

[Alan Baxter]

Thank you for looking at that, Giorgio. I don't mind automatic updates so much as longer as they're not broken.

Since plugins called by Firefox have the ability to download and execute arbitrary code -- like Firefox and its extensions too, I think -- it's a good thing that Shockwave Player wasn't hacked somehow.