COMMAND

    shockwave

SYSTEMS AFFECTED

    Shockwave7

PROBLEM

    Following  was  posted  to  Lingo  programming  list   (Macromedia
    Director 7  scripting).   Macromedia is  set to  close a  security
    loophole in Shockwave 7  after MacUser discovered the  Web plug-in
    was sending personal  user information, including  passwords, back
    to Macromedia.   The updated plug-in  is being tested  and will be
    available this week.  The problem occurs in Shockwave 7's optional
    auto-update  feature,  which  periodically  checks  the Macromedia
    download site for the latest  revision of Shockwave.  If  it needs
    an update, the software  reports back to Macromedia  the Shockwave
    sites  users  have  visited.   But  in  cases  where Web sites use
    password validation in their  addresses, this information -  which
    can include the passwords, as well as data about secure Web sites,
    even  those  behind  a  firewall,  and  hard disk information - is
    passed  back  to  Macromedia.   Although  security risks are minor
    because Shockwave 7 encrypts data before sending it to Macromedia,
    other users could get information about how to attack a  company's
    network.

SOLUTION

    Macromedia was not aware of  the problem when contacted, but  is c
    reating an updated  Shockwave 7 plug-in  which will strip  obvious
    password information  and port  numbers from  URLs before  sending
    them.   The  update  will  record  any  non-standard  URLs as "Not
    an http:// server", preventing information about local hard  disks
    and  ftp  sites  being  transferred.   Macromedia  will also add a
    special  parameter  to  the  "embed"  tag  used to place Shockwave
    movies in a page that will stop the URL being recorded.