test content
What is the Arc Client?
Install Arc

Security and privacy concerns regarding Arc and arcgames.com

frtoasterfrtoaster Member Posts: 3,354 Arc User
Some of us were discussing security and privacy concerns regarding Arc and arcgames.com in the thread about the forum migration.

Forums are off again

That thread seems to have died down, and this discussion seems a little off-topic for that thread anyway. Also, no one has posted in the previous two threads about Arc and arcgames.com in months:

Feedback Requested: Arc Download and STO Install via Arc
Arcgames.com is Ready for your Feedback

That's why I decided to start a new thread. I will quote the relevant comments from the forum migration thread.
frtoaster wrote: »
Because of concerns about the security of the new forums, I decided to do some poking around. Forget about Vanilla Forums for the moment. What about PWE's own security? I'm not exactly happy with what I found. Keep in mind that I only have passing knowledge of this stuff. You should hire an expert to audit your security measures. Most programmers and IT staff are not experts in security. I would not feel comfortable performing such an audity myself.


Flash plugin installed by Arc

If I view my Firefox plugins, I see that I have two versions of Flash installed.

Shockwave Flash 16.0.0.235
Shockwave Flash 17.0.0.169

Above "Shockwave Flash 16.0.0.235", there is a warning message:

Shockwave Flash is known to be vulnerable and should be updated.

If I go to about:plugins, I see that "Shockwave Flash 16.0.0.235" was installed by Arc. The DLL was installed here:

C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\NPSWF32.dll

If I set "Shockwave Flash 16.0.0.235" to "Never Activate" and restart Firefox, I find that "Shockwave Flash 17.0.0.169" has also been disabled. Stop installing outdated, insecure versions of Flash on my computer. I keep my own version of Flash up to date. Even if you update Arc's version of Flash, I don't run Arc often enough to keep that version up to date.


arcgames.com

You may be missing an SSL certificate. I'm not sure whether you don't have one or whether Firefox doesn't accept yours because you're using a weak signature scheme. You are also using an encryption scheme that has been deprecated as insecure. I have provided reproduction steps below.

1. Start Firefox.
2. Type arcgames.com into the address bar and press Enter. You are redirected to

http://www.arcgames.com/en/games

3. If you click on "Sign in" in the upper right, a form drops down asking for your "User Name / Email" and "Password".
4. Press Ctrl+U to view the source code for the page.
5. Search for the form with class="form-horizontal form-sign-in-header". The source code shows that the form posts to

https://www.arcgames.com/en/sign/in

6. Copy and paste the above URL into the address bar and press Enter.
7. Click on the warning icon to the left of the URL in the address bar. Firefox shows the following warning message:

This website does not supply identity information.

The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.

8. Press Ctrl+Shift+K to open the web developer console. Search for the following warning messages:

This site uses the cipher RC4 for encryption, which is deprecated and insecure.
This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.

9. Type your user name and password, and click "Sign In".
10. Click on "CHARGE". You are sent to

https://billing.arcgames.com/en/

11. Repeat steps 7 and 8.
frtoaster wrote: »
Who are Disqus? I just received an email from them asking me to verify my email address:
Welcome to Disqus, frtoaster!

Why verify?

Many sites using Disqus require a verified email for commenting to prevent spam. Verifying lets you join discussions quickly and easily.

They know that my forum name is associated with this email address, so I can only assume it has something to do with the new forums. Does Vanilla Forums use Disqus to verify email addresses? Why am I receiving this email from them?
Aha, found it.

http://www.arcgames.com/en/social/all

So if you click on any of those where it has the comments thing...

It gives the option to login for...

Arc
Disqus
Facebook
Twitter

It has a thing there where it looks like there might be 1 comment, the little 1 in the red chat/speaking/dialogue icon...but when you click on it, it pops up in the current window the following:

http://i.imgur.com/IwIZLYH.png

I wasn't logged in to Arc at the time.

So, what the Hell, let me log in and see what happens.

And yep, it logged me into Disqus...well then...hrmmm, that kind of sucks. Heh, I'd forgotten about Disqus until you mentioned it, one of those back of the mind things. But searching my email, I apparently signed up for it back in June 2012.

There is not a chance in Hell that my Arc password is the same password I would have used three years ago...

...that's pretty freaking effed up.

Must be some authorization scheme at play...meh. :(

edit: Gets into this: https://disqus.com/api/docs/auth/

And I'm wondering just where I agreed to allow Arc to do that....ffs.

There's nothing that I see in any of the "smallprint" stating that I've agreed to that...

edit2: That's just some damn ****ed up bull**** there in your case then, cause it ****ing looks like they created the ****ing Disqus account on your behalf and Disqus is asking you to verify. What a load of ****...
frtoaster wrote: »
I think they created one of these site-specific profiles for me instead of an actual account.

https://help.disqus.com/customer/portal/articles/1897513-site-specific-profiles-

Of course, if they did create a Disqus account for me, I have no idea what the login and password would be.
Weirdly, right after visiting the link that VirusDancer shared, I got an email from Disqus asking me to confirm my email address. So it's not even from clicking on a comment section on that page, it's from visiting that page whilst signed in to Arc... I don't like that. For one, I actually already have a Disqus account associated with a different email address to the one I use for Arc/Cryptic stuff. I don't want or need a second Disqus account.
frtoaster wrote: »
Oh, is that what caused it? Visiting the "SOCIAL" tab? I do remember clicking on that tab. I don't remember seeing that Disqus login form before virusdancer showed it to me. I definitely did not sign up for a Disqus account; I would have remembered typing in a login name and password. So clicking on the "SOCIAL" tab creates a site-specific profile on Disqus and sends them your email address. They should probably explicitly mention that somewhere.
Waiting for a programmer ...
qVpg1km.png
Post edited by Unknown User on

Comments

  • guilli88guilli88 Member Posts: 0 Arc User
    edited May 2015
    Do a good write-up and mail to game news and tech sites. They love anything they can cover that involves security issues and consumer privacy threats these days.


    wired: submit@wired.com
    arstechnica: http://arstechnica.com/contact-us/
    Gawker: tips@gawker.com
    Kotaku: tips@kotaku.com
    io9: tips@io9.com

    And various more.

    sig

    http://img825.imageshack.us/img825/5451/om71.jpg

    It is a peculiar phenomenon that we can imagine events that defy the laws of the universe.
  • frtoasterfrtoaster Member Posts: 3,354 Arc User
    edited May 2015
    frtoaster wrote: »
    Flash plugin installed by Arc

    If I view my Firefox plugins, I see that I have two versions of Flash installed.

    Shockwave Flash 16.0.0.235
    Shockwave Flash 17.0.0.169

    Above "Shockwave Flash 16.0.0.235", there is a warning message:

    Shockwave Flash is known to be vulnerable and should be updated.

    If I go to about:plugins, I see that "Shockwave Flash 16.0.0.235" was installed by Arc. The DLL was installed here:

    C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\NPSWF32.dll

    If I set "Shockwave Flash 16.0.0.235" to "Never Activate" and restart Firefox, I find that "Shockwave Flash 17.0.0.169" has also been disabled. Stop installing outdated, insecure versions of Flash on my computer. I keep my own version of Flash up to date. Even if you update Arc's version of Flash, I don't run Arc often enough to keep that version up to date.

    Today, I installed the lastest version of Flash, version 17.0.0.188. I ran Arc to see if it would remove the old, insecure version. Arc did patch something, but version 16.0.0.235 of Flash is still installed.
    guilli88 wrote: »
    Do a good write-up and mail to game news and tech sites. They love anything they can cover that involves security issues and consumer privacy threats these days.


    wired: submit@wired.com
    arstechnica: http://arstechnica.com/contact-us/
    Gawker: tips@gawker.com
    Kotaku: tips@kotaku.com
    io9: tips@io9.com

    And various more.

    They shouldn't need the embarrassment of media coverage to fix their problems. I'm hoping Trendy sees this thread and passes the information onto the right people.
    Waiting for a programmer ...
    qVpg1km.png
  • edited May 2015
    This content has been removed.
  • the1tiggletthe1tigglet Member Posts: 1,421 Arc User
    edited May 2015
    frtoaster wrote: »
    Today, I installed the lastest version of Flash, version 17.0.0.188. I ran Arc to see if it would remove the old, insecure version. Arc did patch something, but version 16.0.0.235 of Flash is still installed.



    They shouldn't need the embarrassment of media coverage to fix their problems. I'm hoping Trendy sees this thread and passes the information onto the right people.

    Sadly sometimes that's the only way you can get some developers to do their jobs.

    For example, you have to send them a tweet in order for them to fix bugs that's the latest method, reporting anything using their tool does nothing.
  • frtoasterfrtoaster Member Posts: 3,354 Arc User
    edited June 2015
    I just uninstalled and reinstalled Arc to see if they've fixed some of the problems that I noticed before.

    This time, I installed Arc in a directory where standard users have write access to see if I could run Arc without being administrator. Instead of installing Arc in

    C:\Program Files (x86)\Perfect World Entertainment\Arc

    as I had previously, this time, I installed it in

    C:\Games\Arc

    It didn't work. Arc still requires administrator access to run. Why? Is it because Arc needs to patch itself? There's no reason to disallow normal users from patching Arc. I have STO installed in C:\Games\Star Trek Online_en, and I can patch STO just fine without being administrator.

    Arc still installs a vulnerable version of Flash (version 16.0.0.235). The following information is from about:plugins in Firefox:

    Shockwave Flash

    File: NPSWF32.dll
    Path: C:\Games\Arc\Plugins\NPSWF32.dll
    Version: 16.0.0.235
    State: Enabled (STATE_VULNERABLE_UPDATE_AVAILABLE)
    Shockwave Flash 16.0 r0

    First, you should remove this vulnerable plugin. Second, you should stop installing versions of Flash on behalf of the user. I keep my own version of Flash up to date, but I don't run Arc often enough to keep its version up to date.
    Waiting for a programmer ...
    qVpg1km.png
  • angrytargangrytarg Member Posts: 11,009 Arc User
    edited June 2015
    I like how cocnerns like that pop up shortly before a major migration/forcing users to use another service takes place and, usually, go by completely unadressed. I really hope it's not the case this time, though.
    lFC4bt2.gif
    ^ Memory Alpha.org is not canon. It's a open wiki with arbitrary rules. Only what can be cited from an episode is. ^
    "No. Men do not roar. Women roar. Then they hurl heavy objects... and claw at you." -Worf, son of Mogh
    "A filthy, mangy beast, but in its bony breast beat the heart of a warrior" - "faithful" (...) "but ever-ready to follow the call of the wild." - Martok, about a Targ
    "That pig smelled horrid. A sweet-sour, extremely pungent odor. I showered and showered, and it took me a week to get rid of it!" - Robert Justman, appreciating Emmy-Lou
  • rsoblivionrsoblivion Member Posts: 809 Arc User
    edited June 2015
    Lol I don't use Arc for these very reasons. It's shady as fark in the first place, these little failures to keep security tight don't help the claims of Arc being secure. It may not phone home like Origin did on release, doesn't excuse poor security.
    Chris Robert's on SC:
    "You don't have to do something again and again and again repetitive that doesn't have much challange, that's just a general good gameplay thing."
  • mustrumridcully0mustrumridcully0 Member Posts: 12,963 Arc User
    edited June 2015
    Sadly sometimes that's the only way you can get some developers to do their jobs.

    For example, you have to send them a tweet in order for them to fix bugs that's the latest method, reporting anything using their tool does nothing.
    Whenever that works, you will never learn what kind of other bugs were not fixed, or what kind of feature was not implemented or delayed, and you'll also never know if they weren't already working on that issue anyay., and you'll also never know if they weren't working on the issue
    anyway.

    Issues and features are usually prioritized, and done in that order. If a programmer had to choose, he'd often rather pick the kind of tasks that look fun to do, not the ones that are actually important. An "easy" bugfix can often be exactly like that - it seems easy enough to do, so you quickly achieve a success. But "quickly" doesn't mean "no time" and there might be context switches involved as yo drop everything you're just doing and do something else instead.

    It didn't work. Arc still requires administrator access to run. Why? Is it because Arc needs to patch itself? There's no reason to disallow normal users from patching Arc. I have STO installed in C:\Games\Star Trek Online_en, and I can patch STO just fine without being administrator.
    Most likely, they require it because they don't assume you put it into an unprotected order like "Games", but instead under Program Files. Also, if the arc launcher also patches other installed games, it would still need the rights for those.

    It's hardly ideal, but putting your games or programs in a folder that is not protected by Windows Resource Protection is not actually that great either - it would still allow infecting your machine with malicious software without administration privileges.
    Star Trek Online Advancement: You start with lowbie gear, you end with Lobi gear.
  • frtoasterfrtoaster Member Posts: 3,354 Arc User
    edited June 2015
    Most likely, they require it because they don't assume you put it into an unprotected order like "Games", but instead under Program Files. Also, if the arc launcher also patches other installed games, it would still need the rights for those.

    It's hardly ideal, but putting your games or programs in a folder that is not protected by Windows Resource Protection is not actually that great either - it would still allow infecting your machine with malicious software without administration privileges.

    Right now, I have my games installed in a directory where normal users have write access. That allows the games to patch themselves, and I don't have to log in as an administrator in order to play. It might not be an ideal solution, but it's better than logging in as administrator every time I want to play a game. If the game allows malicious software through, it is limited to whatever damage a normal user can do. It might completely overwrite my game directories. But it won't overwrite C:\Program Files and C:\Program Files (x86), where I have my other programs installed. And what if I want to browse the Web while playing a game? If some malicious code escapes the browser's sandbox, I don't want to be logged in as administrator when that happens. It's especially disconcerting when Arc includes its own web browser and a vulnerable version of Flash.
    Waiting for a programmer ...
    qVpg1km.png
  • mustrumridcully0mustrumridcully0 Member Posts: 12,963 Arc User
    edited June 2015
    frtoaster wrote: »
    Right now, I have my games installed in a directory where normal users have write access. That allows the games to patch themselves, and I don't have to log in as an administrator in order to play. It might not be an ideal solution, but it's better than logging in as administrator every time I want to play a game. If the game allows malicious software through, it is limited to whatever damage a normal user can do. It might completely overwrite my game directories. But it won't overwrite C:\Program Files and C:\Program Files (x86), where I have my other programs installed. And what if I want to browse the Web while playing a game? If some malicious code escapes the browser's sandbox, I don't want to be logged in as administrator when that happens. It's especially disconcerting when Arc includes its own web browser and a vulnerable version of Flash.

    If malacious code can get out of your browser's sandbox, it is not important whether anything you have running is in admin mode or not. The question is - is the browser? If so, then the malicious code has admin rights. If not, the malicious code needs a way to escalate its privileges, and for that it doesn't require another program generally speaking, but a security hole in windows itself. A low privilege process should (barring windows vulnerabilities) not be able to manipulate a program in admin mode.


    Though it is a problem that Arc needs Flash. With HTML5, they shouldn't really have a need for that anymore - they need to get a decent browser into Arc, maybe something based on Chromium or Webkit or so, but whatever fits the bill of good HTML 5, Javascript and CSS compatibility. Flash will probably always be an extra security risk, regardless of version. (Not that another browser technology couldn't have that as well...)
    Star Trek Online Advancement: You start with lowbie gear, you end with Lobi gear.
  • hojain2020hojain2020 Member Posts: 417 Arc User
    edited June 2015
    I dont trust ARC at all. Prefer all money transfers through steam. Considering the few issues steam customer support has had steam is way more accesible than ARC.
    STO NPC AI LEVEL--->
    bollywood15_zpskyztknwo.gif
  • frtoasterfrtoaster Member Posts: 3,354 Arc User
    edited June 2015
    If malacious code can get out of your browser's sandbox, it is not important whether anything you have running is in admin mode or not. The question is - is the browser? If so, then the malicious code has admin rights. If not, the malicious code needs a way to escalate its privileges, and for that it doesn't require another program generally speaking, but a security hole in windows itself. A low privilege process should (barring windows vulnerabilities) not be able to manipulate a program in admin mode.

    Perhaps, I am not understanding you correctly, or you are not understanding me. I don't browse the Web using Arc. Actually, I normally don't run Arc at all. I run STO's launcher and client as a standard user, and I run my own web browser as a standard user. That suits me fine today, but they may someday make Arc mandatory. What I don't want is to have to log in as administrator in order to play the game. Then, I would be logged in as administrator if I open other programs, such as a web browser, while playing the game. Yes, if both the browser and the OS have serious enough security holes, then it wouldn't matter whether you run the browser as administrator or not. Are you saying that it doesn't matter at all whether you run a web browser as administrator? Admittedly, I am not an expert in Windows security. If you know more, then please explain.

    I generally don't think it is a good idea to require the user to be an administrator in order to run your application. I log in as administrator to install and remove programs. If I'm not actually doing administration, then I log in as a standard user. The problem is that many games today require patching, and the program you use to patch the game is the same one you use to launch it. You need to run that program even if you only want to play, not patch. That's why I started installing games in a separate directory that standard users can write to. If you have a better solution, then I would like hear it.
    Flash will probably always be an extra security risk, regardless of version. (Not that another browser technology couldn't have that as well...)

    Agreed, but they're installing a version of Flash that is known to be vulnerable. Are they going to keep installing updated versions of Flash? How often do they expect users to patch Arc? The Flash DLL that they installed is visible not only in Arc, but also in Firefox. Maybe, all Gecko-based web browsers can see it; I'm not completely sure.
    Waiting for a programmer ...
    qVpg1km.png
  • frtoasterfrtoaster Member Posts: 3,354 Arc User
    edited June 2015
    frtoaster wrote: »
    You may be missing an SSL certificate. I'm not sure whether you don't have one or whether Firefox doesn't accept yours because you're using a weak signature scheme. You are also using an encryption scheme that has been deprecated as insecure. I have provided reproduction steps below.

    Firefox still doesn't recognize your certificate. I'm not sure why. Updated reproductions steps are provided below.

    1. Start Firefox 38.0.5 on Windows 7 Home Premium (64-bit), Service Pack 1.
    2. Type arcgames.com into the address bar and press Enter. You are redirected to

    http://www.arcgames.com/en/games

    3. Click on "Sign in" in the upper right. A form drops down asking for your "User Name / Email" and "Password".
    4. Press Ctrl+U to view the source code for the page.
    5. Search for the form with class="form-horizontal form-sign-in-header". The source code shows that the form posts to

    https://www.arcgames.com/en/sign/in

    6. Copy and paste the above URL into the address bar and press Enter.
    7. Click on the warning icon to the left of the URL in the address bar. Firefox shows the following warning message:

    This website does not supply identity information.

    The connection to this website is not fully secure because it contains unencrypted elements (such as images) or the encryption is not strong enough.

    8. Click the "More Information..." button.
    9. Read the text below "Website Identity":

    Website: www.arcgames.com
    Owner: This website does not supply ownership information.
    Verified by: Not specified

    10. Read the text below "Technical Details":

    Broken Encryption (TLS_RSA_WITH_RC4_128_SHA, 128 bit keys, TLS 1.2)

    Parts of the page you are viewing were not encrypted or the encryption is not strong enough before being transmitted over the Internet.

    Information sent over the Internet without encryption can be seen by other people while it is in transit.

    11. Click the "View Certificate" button. Read the certificate information:

    Issued To
    Common Name (CN): *.arcgames.com
    Organization (O): <Not Part Of Certificate>
    Organizational Unit (OU): Domain Control Validated
    Serial Number: 04:0D:29:90:BE:46:B8
    Issued By
    Common Name (CN): Go Daddy Secure Certification Authority
    Organization (O): GoDaddy.com, Inc.
    Organizational Unit (OU): http://certificates.godaddy.com/repository
    Period of Validity
    Begins On: 7/11/2013
    Expires On: 7/11/2015
    Fingerprints
    SHA-256 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]
    SHA1 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]

    12. Press Ctrl+Shift+K to open the Web Console. Search for the following warning messages:

    This site uses the cipher RC4 for encryption, which is deprecated and insecure.
    This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.

    13. Type your user name and password, and click "Sign In".
    14. Click on "CHARGE". You are sent to

    https://billing.arcgames.com/en/

    15. Repeat steps 7 and 8.
    16. Read the text below "Website Identity":

    Website: billing.arcgames.com
    Owner: This website does not supply ownership information.
    Verified by: Not specified

    17. Repeat steps 10 through 12.


    The following tool also fails to recognize the certificate for www.arcgames.com and billing.arcgames.com:

    https://www.grc.com/fingerprints.htm

    The above tool does recognize the certificate for account.perfectworld.com. This certificate is used by the current forum (sto-forum.perfectworld.com), which will be taken down soon. The login page (http://www.perfectworld.com/login) posts to

    https://account.perfectworld.com/login

    The pop-up login form for the current forum also posts to the above URL.

    For comparison, here is the security information for that POST:

    Connection:
    Protocol version: TLSv1.2
    Cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
    Host account.perfectworld.com:
    HTTP Strict Transport Security: Disabled
    Public Key Pinning: Disabled
    Certificate:
    Issued To
    Common Name (CN): perfectworld.com
    Organization (O): Perfect World Entertainment
    Organizational Unit (OU): Akamai SAN SSL OV
    Issued By
    Common Name (CN): GeoTrust SSL CA
    Organization (O): GeoTrust, Inc.
    Organizational Unit (OU): <Not Available>
    Period of Validity
    Begins On: 10/12/2014
    Expires On: 12/13/2015
    Fingerprints
    SHA-256 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]
    SHA1 Fingerprint: [deleted by me because the forum treats parts of the string as smiley faces]

    I obtained this information from the "Security" tab of Firefox's Network Monitor (Ctrl+Shift+Q).

    https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor
    https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor#Security


    Note that the certificate for www.arcgames.com and billing.arcgames.com is recognized by Internet Explorer 11.0.9600.17843 running on Windows 7 Home Premium (64-bit), Service Pack 1. Different browsers running on different operating systems may treat this certificate differently. Here is a tool to help you diagnose the problems:

    https://www.ssllabs.com/ssltest/
    Waiting for a programmer ...
    qVpg1km.png
  • sardociansardocian Member Posts: 187 Arc User
    edited June 2015
    Honest question - why is the old version of flash a big deal? The risk of flash being exploited comes from navigating to compromised or malicious websites - I presume you are using a patched up-to-date version of flash in the web browser you use to navigate the web.

    If the ARC application uses embedded flash that has vulnerabilities, what is the actual risk? They already have an application installed and running on your computer, so it's not like they gain anything from pushing out malicious flash apps through ARC.

    I agree its always a good idea to patch, but in this case, since they are using an embedded instance of flash (e.g. it's found in their ARC directory), it sounds like they took steps to isolate their instance of flash from the rest of the system, which is actually a good thing from a security point of view.
  • frtoasterfrtoaster Member Posts: 3,354 Arc User
    edited June 2015
    sardocian wrote: »
    Honest question - why is the old version of flash a big deal? The risk of flash being exploited comes from navigating to compromised or malicious websites - I presume you are using a patched up-to-date version of flash in the web browser you use to navigate the web.

    If the ARC application uses embedded flash that has vulnerabilities, what is the actual risk? They already have an application installed and running on your computer, so it's not like they gain anything from pushing out malicious flash apps through ARC.

    I agree its always a good idea to patch, but in this case, since they are using an embedded instance of flash (e.g. it's found in their ARC directory), it sounds like they took steps to isolate their instance of flash from the rest of the system, which is actually a good thing from a security point of view.

    I believe I already mentioned this. The insecure version of Flash installed by Arc shows up as a plugin in Firefox. If I set Arc's version of Flash to "Never Activate" and restart Firefox, I find that the up-to-date version of Flash that I installed is also set to "Never Activate". I'm guessing that Firefox is smart enough not to use the version of Flash that it has flagged as vulnerable, but I'm not completely sure.

    So Arc's version of Flash is not isolated only to Arc. Even if it were, it would still put unsuspecting users who use Arc to visit other websites at risk.
    frtoaster wrote: »
    Flash plugin installed by Arc

    If I view my Firefox plugins, I see that I have two versions of Flash installed.

    Shockwave Flash 16.0.0.235
    Shockwave Flash 17.0.0.169

    Above "Shockwave Flash 16.0.0.235", there is a warning message:

    Shockwave Flash is known to be vulnerable and should be updated.

    If I go to about:plugins, I see that "Shockwave Flash 16.0.0.235" was installed by Arc. The DLL was installed here:

    C:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\NPSWF32.dll

    If I set "Shockwave Flash 16.0.0.235" to "Never Activate" and restart Firefox, I find that "Shockwave Flash 17.0.0.169" has also been disabled. Stop installing outdated, insecure versions of Flash on my computer. I keep my own version of Flash up to date. Even if you update Arc's version of Flash, I don't run Arc often enough to keep that version up to date.
    Waiting for a programmer ...
    qVpg1km.png
Sign In or Register to comment.