Security Experts:

US-CERT Warns of Three Remotely Exploitable Flaws in Adobe Shockwave

Attackers could exploit three Adobe Shockwave flaws to remotely execute code on vulnerable systems, according to three advisories published by US-CERT this week.

The United States Computer Emergency Response Team (US-CERT) issued three separate vulnerability notices pointing out flaws in Adobe's Shockwave Player. One issue has to do with how extensions are used in Shockwave Player, while another refers to the outdated version of Flash Player being bundled into Shockwave Player. The final issue is a design flaw and allows attackers to force users to use a more vulnerable version of the player.

Attackers can trick users into viewing malicious Shockwave movies and take advantage of the security holes to remotely execute code on vulnerable computers, US-CERT said. No fix is available for any of these issues at this time, according to the advisory.

"Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013," an Adobe spokesperson told SecurityWeek. "We are not aware of any active exploits or attacks in the wild using this particular technique," Adobe said.

One issue was reported to Adobe in 2010 and exists in Shockwave Xtras, or extensions. Shockwave movies that use Xtras install them on the fly as needed, and don't require any user interaction to do so if the extension had been signed by Adobe. Since Xtras are stored inside the movie file, attackers can exploit the situation by embedding old extensions that are vulnerable into the file and have them install automatically.

"By convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user," the advisory said.

It turns out users who have the "Full" installer would likely already have several Xtras installed, which would limit the vulnerable extensions attackers could use, the advisory said. The "Slim" installer, in comparison, doesn't come with the Flash Xtra , meaning an attacker could include a vulnerable version of Flash Xtra into the movie file, which could be exploited while the user views the Shockwave movie, according to US-CERT.

Another issue has to do with the fact that Shockwave Player uses its own Flash runtime rather than the Flash Player installed separately on the system. In this case, Shockwave Player version 11.6.8.638 for Windows and Mac OS is bundled with a vulnerable version of Flash. Flash 10.2.159.1, the version that comes with Shockwave Player, was released in April 2011. Flash has been updated several times since then.

A design issue in Shockwave allows legacy versions of the runtime to be installed and used to view content, according to the advisory. If it's not specified, users could be tricked into using older and vulnerable versions of Shockwave installed on the system to view malicious content.

"Adobe Shockwave Player may automatically install a legacy version of the runtime, which can increase the attack surface of systems that have Shockwave installed," the advisory said.

For all three issues, US-CERT offered the same workarounds, such as restricting the handling of untrusted Director content to mitigate these issues. Other steps include Mozilla users running NoScript extensions to whitelist sites hosting Shockwave content, and Internet Explorer users disabling the Shockwave ActiveX control.

Subscribe to the SecurityWeek Email Briefing
view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.
view counter