(LiveHacking.Com) – According to three advisories published by US-CERT, Adobe Shockwave has three Critical vulnerability which could allow attackers to remotely execute code on vulnerable machines. At least one of the vulnerabilities was reported to Adobe in 2010 and isn’t scheduled to be fixed until 2013.
US-CERT issued Vulnerability Note VU#519137 warning that Adobe Shockwave Player installs Xtras that are signed by Adobe or Macromedia without prompting, this means that an attacker can target vulnerabilities in older versions of Xtras. When Shockwave needs to use an Xtra it will be downloaded and installed automatically without any user interaction. The problem is that the download location is stored in the Shockwave movie itself. By changing the value of the download location attackers can force a vulnerable older version of the Xtra to be installed.
“By convincing a user to view specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user,” noted US-CERT.
In another issue, US-CERT reported that Adobe Shockwave Player 18.104.22.1688 and earlier provide a vulnerable version of the Flash runtime. The included Flash runtime is version 10.2.159.1, which was released on April 15, 2011.This version of Flash contains several exploitable vulnerabilities. Since Shockwave uses its own Flash runtime, the machine is still vulnerable even if a new version of Flash has been installed on the PC.
The third problem is that Adobe Shockwave Player can automatically install a legacy version of its runtime. This can increase the attack surface of systems that have Shockwave installed. Because this is a design feature, attackers can target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10. The example that US-CERT gives is that the legacy version of Shockwave provides Flash 22.214.171.124, which was released on November 14, 2006 and contains multiple, known vulnerabilities.
“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” an Adobe spokesperson told SecurityWeek. “We are not aware of any active exploits or attacks in the wild using this particular technique.”
Uninstalling the Shockwave Player will remove the vulnerabilities and since it isn’t used that often today you can probably remove it without any impact on your system. Adobe has an uninstaller.