Last Updated on November 20, 2016 by Dave Farquhar
Bad things happen when security pros like me start asking our infrastructure brethren to patch Flash. We get better security, but the Flash upgrade fails enough of the time to cause extra workload, and it can be confusing. One of the problems is the question of Flash vs Shockwave.
Consequently, I see more Flash-related helpdesk tickets than I ever saw, even when I was doing desktop support long ago. Adobe doesn’t make it any easier by calling the plugin “Shockwave Flash.”
Unfortunately, when people look at a computer that works, they see a plugin called “Shockwave Flash,” then they proceed to install Shockwave. Shockwave is a different and only tangentially related technology. I suspect Adobe bundled the two names together so they could feed off one another’s name recognition. Shockwave does include a Flash component, but Adobe does a poor job of patching it, so deploying Shockwave actually harms security because it has an old, vulnerable version of Flash as a ridealong. Plus, there’s little to no business content on the web that actually uses Shockwave. I know, because I work in an environment that up until last week was Shockwave-free, and the only problems we had were with Flash, not Shockwave.
I don’t really understand Adobe’s motives, nor do I care since Flash is on its way out, slowly but surely. But if you get the call to troubleshoot Flash issues, keep your eye on the ball and don’t get distracted by the word “Shockwave.” The current Flash plugin, which is at version 19 at the time I write this, is the one you need. Do whatever it takes to clean out the old, corrupted Flash versions and get a clean version of 19 down.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.