Adobe Shockwave Vulnerabilities at Critical Level and Very Late
The US-CERT, operated by the Department of Homeland Security, has recently issued three advisories involving Adobe Shockwave Player. One of the bugs that was warned about in October 2010 is not scheduled to be fixed until February 2013…unbelievable!
Here are the following advisories issued recently:
- VU#519137: Shockwave Xtras vulnerability, originally a hole back in Oct. 2010, scheduled for fix in Feb. 2013.
- VU#323161: Vulnerable flash runtime
- VU#546769: Vulnerable downgrading
The first vulnerability, for Shockwave Xtras, as explained above, is long overdue to be patched. Many companies have done this before, notably Apple being long overdue fixing an iTunes flaw. The problem with Xtras, as the US-CERT reports in the bulletin, “Adobe Shockwave Player installs Xtras that are signed by Adobe or Macromedia without prompting, which can allow an attacker to target vulnerabilities in older Xtras.”
“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” Adobe’s Wiebke Lips wrote.
The other two vulnerabilities are miscellaneous design flaws that attackers can exploit. US-CERT also warned that Shockwave Player version 220.127.116.118 for Windows and Mac OS come with a vulnerable version of Flash runtime. The Full installer for 18.104.22.1688 comes with Flash 10.2.159.1 released April of last year, which is vulnerable. Shockwave, the advisory said, uses its own Flash runtime rather than the system-wide Flash.
There are no current fixes. To learn about workarounds for these situations, please reference the advisory sites above.