There are Adobe Shockwave vulnerabilities that could allow an attacker to remotely execute code on systems running the vulnerable media player, according to a report on US-CERT.
This warning first went to Adobe in 2010 regarding Shockwave Xtras, or extensions. Shockwave movies that use Xtras install them as needed, and if Adobe signs the extension, it installs without user interaction. Attackers are able to exploit this situation because the Xtras store in the Shockwave movie file; old extensions vulnerable to exploit can install automatically.
Adobe is not aware of any active exploits and plans to address the issue in its next major Shockwave release in February, said company spokesman Wiebke Lips.
Any user viewing a malicious Shockwave file online or in an email attachment would also be downloading a vulnerable Xtra, potentially enabling the attacker to gain remote control over a machine.
The vulnerability is more difficult to contain for users running the Full Shockwave installer, rather than Slim.
“In order for an attacker to install an older, vulnerable Xtra on a system with Shockwave, that Xtra must not already be present on the system. If you must have Shockwave installed, using the “Full” installer will cause more Xtras to be present, limiting the choices that an attacker may be able to leverage to exploit,” the advisory said. “For example, the “Slim” installer for Shockwave does not provide the Flash Xtra. An attacker could target this installation configuration by hosting an arbitrary version of the Flash Xtra that would be automatically installed and exploited upon viewing a malicious Shockwave movie.”
US-CERT said no fix is available.
“Restricting the handling of untrusted Director content may help mitigate this vulnerability,” the advisory said. Shockwave movies are already in Adobe Director. US-CERT recommended Mozilla users run NoScript extensions to whitelist any sites hosting Shockwave content. Internet Explorer users, meanwhile, can disable the Shockwave ActiveX control.
US-CERT also warned that Shockwave Player version 220.127.116.118 for Windows and Mac OS comes with a vulnerable version of Flash runtime. The Full installer for 18.104.22.1688 comes with Flash 10.2.159.1 released April of last year, which is vulnerable. Shockwave, the advisory said, uses its own Flash runtime rather than the system-wide Flash.