April 17, 2014

Adobe hasn’t yet fixed Critical Shockwave vulnerability reported in 2010

adobe-logo(LiveHacking.Com) – According to three advisories published by US-CERT, Adobe Shockwave has three Critical vulnerability which could allow attackers to remotely execute code on vulnerable machines. At least one of the vulnerabilities was reported to Adobe in 2010 and isn’t scheduled to be fixed until 2013.

US-CERT issued Vulnerability Note VU#519137 warning that Adobe Shockwave Player installs Xtras that are signed by Adobe or Macromedia without prompting, this means that an attacker can target vulnerabilities in older versions of Xtras. When Shockwave needs to use an Xtra it will be downloaded and installed automatically without any user interaction. The problem is that the download location is stored in the Shockwave movie itself. By changing the value of the download location attackers can force a vulnerable older version of the Xtra to be installed.

“By convincing a user to view specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user,” noted US-CERT.

In another issue, US-CERT reported that Adobe Shockwave Player 11.6.8.638 and earlier provide a vulnerable version of the Flash runtime. The included Flash runtime is version 10.2.159.1, which was released on April 15, 2011.This version of Flash contains several exploitable vulnerabilities. Since Shockwave uses its own Flash runtime, the machine is still vulnerable even if a new version of Flash has been installed on the PC.

The third problem is that Adobe Shockwave Player can automatically install a legacy version of its runtime. This can increase the attack surface of systems that have Shockwave installed. Because this is a design feature, attackers can target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10. The example that US-CERT gives is that the legacy version of Shockwave provides Flash 8.0.34.0, which was released on November 14, 2006 and contains multiple, known vulnerabilities.

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” an Adobe spokesperson told SecurityWeek. “We are not aware of any active exploits or attacks in the wild using this particular technique.”

Uninstalling the Shockwave Player will remove the vulnerabilities and since it isn’t used that often today you can probably remove it without any impact on your system.  Adobe has an uninstaller.

 

Adobe releases security update to fix critical vulnerabilities in Shockwave Player

(LiveHacking.Com) – Adobe has released a security update for its Shockwave Player to fix critical vulnerabilities that could allow an attacker to run malicious code on a victim’s PC and infect it with malware. All installations of Shockwave Player 11.6.7.637 and earlier versions on the Windows and Mac are affected. Adobe recommends that all users upgrade to Shockwave Player 11.6.8.638.

Th update patches 6 distinct security bugs in the software, all of which are related to memory corruption issues:

  • Buffer overflow vulnerabilities that could lead to code execution (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-5273).
  • Array out of bounds vulnerability that could lead to code execution (CVE-2012-4176).

It seems that Adobe was tipped off about many of these errors by Will Dormann of the CERT Coordination Center at the Carnegie Mellon University. Adobe also thank Honggang Ren of Fortinet’s FortiGuard Labs  for pointing out CVE-2012-5273.

The Shockwave plugin is still quite popular for Windows and Mac users who need it to access certain types of multimedia content. However it shouldn’t be confused with Adobe Flash Player which is much more prevalent. There are different but note that Flash Player still shows up as ‘Shockwave Flash’ in Mozilla Firefox’s plugins listing.

Before updating Shockwave, you should check to see if  you have it installed. Use this link and check that a short animation is displayed along with the version number of Shockwave. If you are asked to download Shockwave then you don’t have it installed and it is best to leave things the way they are. If you do have it installed think about the possibilities of uninstalling it. It isn’t as popular as it once was and most sites no longer require Shockwave at all. Uninstalling it will remove a potential attack vector.

In the security advisory, Adobe says it is not aware of any active attacks against these flaws. The newest version can be downloaded here.