UPDATE — US-CERT issued advisories against a trio of Adobe Shockwave vulnerabilities that could allow an attacker to remotely execute code on systems running the vulnerable media player.
The most disturbing aspect to this warning is that this issue was reported to Adobe in 2010 regarding Shockwave Xtras, or extensions. Shockwave movies that use Xtras install them as needed, and if the extension is signed by Adobe, it is installed without user interaction. Attackers are able to exploit this situation because the Xtras are stored in the Shockwave movie file; old extensions that are vulnerable to exploit can be installed automatically.
Adobe spokesperson Wiebke Lips told Threatpost the company is not aware of any active exploits and plans to address the issue in its next major Shockwave release in February.
Any user who is tricked into viewing a malicious Shockwave file online or in an email attachment would also be downloading a vulnerable Xtra, potentially enabling the attacker to gain remote control over a machine.
The vulnerability is more difficult to contain for users running the Full Shockwave installer, rather than Slim.
“In order for an attacker to install an older, vulnerable Xtra on a system with Shockwave, that Xtra must not already be present on the system. If you must have Shockwave installed, using the “Full” installer will cause more Xtras to be present, limiting the choices that an attacker may be able to leverage to exploit,” the advisory said. “For example, the “Slim” installer for Shockwave does not provide the Flash Xtra. An attacker could target this installation configuration by hosting an arbitrary version of the Flash Xtra that would be automatically installed and exploited upon viewing a malicious Shockwave movie.”
US-CERT said no fix is available.
“Restricting the handling of untrusted Director content may help mitigate this vulnerability,” the advisory said. Shockwave movies are built in Adobe Director. US-CERT also recommends Mozilla users run NoScript extensions to whitelist any sites hosting Shockwave content. Internet Explorer users, meanwhile, can disable the Shockwave ActiveX control.
US-CERT also warned of that Shockwave Player version 11.6.8.638 for Windows and Mac OS come with a vulnerable version of Flash runtime. The Full installer for 11.6.8.638 comes with Flash 10.2.159.1 released April of last year, which is vulnerable. Shockwave, the advisory said, uses its own Flash runtime rather than the system-wide Flash.
Again, an attacker would have to lure a user to view malicious Shockwave content to trigger an exploit. Similar workarounds are recommended for this vulnerability as were for the Xtras advisory.
The final advisory deals with a design issue in Shockwave where it may automatically install legacy versions of the runtime, which could be vulnerable to attack. Unless specified, older and vulnerable versions of Shockwave could be used to view content. If a user is lured to a site hosting malicious content, they could be exploited.
“Attackers can simply target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10,” the advisory said.
Restricting the use and access to Adobe Director files, NoScript, or disabling Shockwave’s ActiveX control in IE are recommended workarounds until Adobe issues a patch.
This article was updated to include information from Adobe.