Adobe Shockwave Lugging Around Hobbled, Vulnerable Version of Flash

Adobe promises that its next Shockwave update will bring its bundled Flash Player patch levels up to date; in the meantime, Shockwave offers hackers a large attack surface to target.

It’s bad enough that the Flash runtime bundled with Adobe’s Shockwave player is deficient in security patches going back to January 2013, but what’s worse is that the increased attack surface provided by Shockwave might make it easier to exploit. And, in the bargain, Adobe has known about the issue since October 2010.

“An attacker has not only the Flash attack surface, but all of the Shockwave attack surface at his disposal as well,” said Will Dormann, researcher at Carnegie Mellon University’s Software Engineering Institute. A week ago, Dormann updated a CERT alert from 2012 that was originally written two years earlier, warning users that Adobe still had not caught up to Shockwave’s shortcomings in this regard.

Adobe spokesperson Heather Edell told Threatpost today that the next release of Shockwave will include an updated version of Flash.

“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.

Dormann, meanwhile, isn’t sure how much that will help.

“Reports indicate that Adobe is planning on bringing the Flash version up to date with the next Shockwave update,” Dormann said. “But that’s only a temporary fix, since Flash and Shockwave have different patch cycles.”

Shockwave has been updated four times in the last 13 months, most recently in February.

Shockwave has been updated four times in the last 13 months, most recently in February. Flash Player, meanwhile, has been updated many more times—almost monthly—including patches for a number of zero-day vulnerabilities targeted by criminals and nation-state hackers. No public exploits, however, have been reported that target the Flash Player bundled with Shockwave.

“There may have been a point in time when the Flash version provided by Shockwave was ‘caught up’ with the standalone version,” Dormann said. “But as you can see, the situation has not changed since then.  The architecture in which Flash is provided by Shockwave is still the same.”

Contributing to the problem is the fact that some Shockwave modules don’t opt in to some Windows mitigations, Dormann said, who pointed out one in particular called SafeSEH. The mitigation makes it more difficult and costly for an attacker to use a Structured Exception Handler (SEH) overwrite exploitation technique to execute code on the underlying operating system.

“This means that an attacker can easily use a SEH-overwriting vulnerability (e.g. a stack buffer overflow) in the exploit when Flash is attacked via Shockwave, but that same attack may not be as viable if Flash is attacked directly,” Dormann said. One temporary mitigation, Dormann advised, is to deploy Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, which will force the use of SEHOP or SEH overwrite protection.

It is unknown whether Adobe will issue an emergency update for Flash, or if it will wait until June 10; Adobe has been coordinating schedule patch releases and security updates to coincide with Microsoft’s Patch Tuesday updates.

The last emergency Flash update was released in February  to patch a zero-day vulnerability being exploited by The Mask APT campaign disclosed by Kaspersky Lab.

Suggested articles