(LiveHacking.Com) – Adobe has released a security update for its Shockwave Player to fix critical vulnerabilities that could allow an attacker to run malicious code on a victim’s PC and infect it with malware. All installations of Shockwave Player 18.104.22.1687 and earlier versions on the Windows and Mac are affected. Adobe recommends that all users upgrade to Shockwave Player 22.214.171.1248.
Th update patches 6 distinct security bugs in the software, all of which are related to memory corruption issues:
- Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-5273).
- Array out of bounds vulnerability that could lead to code execution (CVE-2012-4176).
It seems that Adobe was tipped off about many of these errors by Will Dormann of the CERT Coordination Center at the Carnegie Mellon University. Adobe also thank Honggang Ren of Fortinet’s FortiGuard Labs for pointing out CVE-2012-5273.
The Shockwave plugin is still quite popular for Windows and Mac users who need it to access certain types of multimedia content. However it shouldn’t be confused with Adobe Flash Player which is much more prevalent. There are different but note that Flash Player still shows up as ‘Shockwave Flash’ in Mozilla Firefox’s plugins listing.
Before updating Shockwave, you should check to see if you have it installed. Use this link and check that a short animation is displayed along with the version number of Shockwave. If you are asked to download Shockwave then you don’t have it installed and it is best to leave things the way they are. If you do have it installed think about the possibilities of uninstalling it. It isn’t as popular as it once was and most sites no longer require Shockwave at all. Uninstalling it will remove a potential attack vector.