Adobe to patch 2-year-old Shockwave flaw next year
The flaws could allow remote code to be executed, one of the most severe kinds of vulnerabilities
IDG News Service - Adobe plans in February to close a dangerous hole in its Shockwave application that causes the application to be downgraded when a user launches older multimedia content, allowing hackers to target years-old vulnerabilities.
The U.S. Computer Emergency Readiness Team (U.S. CERT) issued an advisory on the vulnerability, which could allow an attacker to deliver malware and execute arbitrary code, considered to be one of the most dangerous kinds of flaws.
U.S. CERT notified Adobe of the problem on Oct. 27, 2010, but an Adobe spokesperson said Wednesday that the problem will be closed with the next major upgrade of Shockwave, scheduled for Feb. 12.
"We are not aware of any active exploits or attacks in the wild using this particular technique," said Wiebke Lips, senior manager with Adobe corporate communications. Adobe did not consider the issue a high risk to users.
Shockwave is used to play content created in Macromedia and Adobe Director, which offers advanced tools for creating interactive content, including Flash.
U.S. CERT cited Adobe documentation that says if a user encounters content that does not specify to use the latest Shockwave version 11, an older ActiveX control is downloaded that pulls components of the older Shockwave 10 player. Shockwave uses an ActiveX control when content is requested within Microsoft's Internet Explorer and is present as a plugin in other browsers, according to U.S. CERT.
The Shockwave 10 runtime contains vulnerabilities as well as the application's "Xtras," which are components of content. The downgrading of Shockwave to an older version also opens up Adobe's Flash multimedia application for attack, the agency said.
"Because of this design, attackers can simply target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10," U.S. CERT wrote. "For example, the legacy version of Shockwave provides Flash 220.127.116.11, which was released on November 14, 2006 and contains multiple, known vulnerabilities."
U.S. CERT has published two other document describing the issues with Xtras and Flash, which Adobe said it is analyzing. The first concerns Shockwave's downgrading to an older Flash version, which affects both Windows and Apple's Mac. The second involves the problem of malicious Xtras.
"We are not aware of any active exploits or attacks in the wild using these techniques either," Lips said.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts