Security Experts:

Connect with us

Hi, what are you looking for?



US-CERT Warns of Three Remotely Exploitable Flaws in Adobe Shockwave

Attackers could exploit three Adobe Shockwave flaws to remotely execute code on vulnerable systems, according to three advisories published by US-CERT this week.

Attackers could exploit three Adobe Shockwave flaws to remotely execute code on vulnerable systems, according to three advisories published by US-CERT this week.

The United States Computer Emergency Response Team (US-CERT) issued three separate vulnerability notices pointing out flaws in Adobe’s Shockwave Player. One issue has to do with how extensions are used in Shockwave Player, while another refers to the outdated version of Flash Player being bundled into Shockwave Player. The final issue is a design flaw and allows attackers to force users to use a more vulnerable version of the player.

Attackers can trick users into viewing malicious Shockwave movies and take advantage of the security holes to remotely execute code on vulnerable computers, US-CERT said. No fix is available for any of these issues at this time, according to the advisory.

“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” an Adobe spokesperson told SecurityWeek. “We are not aware of any active exploits or attacks in the wild using this particular technique,” Adobe said.

One issue was reported to Adobe in 2010 and exists in Shockwave Xtras, or extensions. Shockwave movies that use Xtras install them on the fly as needed, and don’t require any user interaction to do so if the extension had been signed by Adobe. Since Xtras are stored inside the movie file, attackers can exploit the situation by embedding old extensions that are vulnerable into the file and have them install automatically.

“By convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user,” the advisory said.

It turns out users who have the “Full” installer would likely already have several Xtras installed, which would limit the vulnerable extensions attackers could use, the advisory said. The “Slim” installer, in comparison, doesn’t come with the Flash Xtra , meaning an attacker could include a vulnerable version of Flash Xtra into the movie file, which could be exploited while the user views the Shockwave movie, according to US-CERT.

Another issue has to do with the fact that Shockwave Player uses its own Flash runtime rather than the Flash Player installed separately on the system. In this case, Shockwave Player version for Windows and Mac OS is bundled with a vulnerable version of Flash. Flash, the version that comes with Shockwave Player, was released in April 2011. Flash has been updated several times since then.

A design issue in Shockwave allows legacy versions of the runtime to be installed and used to view content, according to the advisory. If it’s not specified, users could be tricked into using older and vulnerable versions of Shockwave installed on the system to view malicious content.

“Adobe Shockwave Player may automatically install a legacy version of the runtime, which can increase the attack surface of systems that have Shockwave installed,” the advisory said.

For all three issues, US-CERT offered the same workarounds, such as restricting the handling of untrusted Director content to mitigate these issues. Other steps include Mozilla users running NoScript extensions to whitelist sites hosting Shockwave content, and Internet Explorer users disabling the Shockwave ActiveX control.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.