Connect with us

Hi, what are you looking for?



US-CERT Warns of Three Remotely Exploitable Flaws in Adobe Shockwave

Attackers could exploit three Adobe Shockwave flaws to remotely execute code on vulnerable systems, according to three advisories published by US-CERT this week.

Attackers could exploit three Adobe Shockwave flaws to remotely execute code on vulnerable systems, according to three advisories published by US-CERT this week.

The United States Computer Emergency Response Team (US-CERT) issued three separate vulnerability notices pointing out flaws in Adobe’s Shockwave Player. One issue has to do with how extensions are used in Shockwave Player, while another refers to the outdated version of Flash Player being bundled into Shockwave Player. The final issue is a design flaw and allows attackers to force users to use a more vulnerable version of the player.

Attackers can trick users into viewing malicious Shockwave movies and take advantage of the security holes to remotely execute code on vulnerable computers, US-CERT said. No fix is available for any of these issues at this time, according to the advisory.

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” an Adobe spokesperson told SecurityWeek. “We are not aware of any active exploits or attacks in the wild using this particular technique,” Adobe said.

One issue was reported to Adobe in 2010 and exists in Shockwave Xtras, or extensions. Shockwave movies that use Xtras install them on the fly as needed, and don’t require any user interaction to do so if the extension had been signed by Adobe. Since Xtras are stored inside the movie file, attackers can exploit the situation by embedding old extensions that are vulnerable into the file and have them install automatically.

“By convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user,” the advisory said.

It turns out users who have the “Full” installer would likely already have several Xtras installed, which would limit the vulnerable extensions attackers could use, the advisory said. The “Slim” installer, in comparison, doesn’t come with the Flash Xtra , meaning an attacker could include a vulnerable version of Flash Xtra into the movie file, which could be exploited while the user views the Shockwave movie, according to US-CERT.

Advertisement. Scroll to continue reading.

Another issue has to do with the fact that Shockwave Player uses its own Flash runtime rather than the Flash Player installed separately on the system. In this case, Shockwave Player version for Windows and Mac OS is bundled with a vulnerable version of Flash. Flash, the version that comes with Shockwave Player, was released in April 2011. Flash has been updated several times since then.

A design issue in Shockwave allows legacy versions of the runtime to be installed and used to view content, according to the advisory. If it’s not specified, users could be tricked into using older and vulnerable versions of Shockwave installed on the system to view malicious content.

“Adobe Shockwave Player may automatically install a legacy version of the runtime, which can increase the attack surface of systems that have Shockwave installed,” the advisory said.

For all three issues, US-CERT offered the same workarounds, such as restricting the handling of untrusted Director content to mitigate these issues. Other steps include Mozilla users running NoScript extensions to whitelist sites hosting Shockwave content, and Internet Explorer users disabling the Shockwave ActiveX control.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.