Adobe’s Shockwave Player bundles a version of the company’s Flash Player that is 15 months behind on security updates, a feature hackers can use to hijack both Windows PCs and Macs running it, a security expert has warned. The advisory about the risk from Shockwave, which was published in late 2012 by security researcher Will Dormann for Carnegie Mellon University’s CERT, escaped public notice until Wednesday, when it was reported by KrebsOnSecurity. In the 15 months since the initial post, Adobe has made little progress. According to reporter Brian Krebs, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. That includes almost 20 different patches for security holes, some that fixed critical holes that real-world hackers exploited in the wild to commandeer end users’ computers.