Adobe promises to soon patch 2-year-old Shockwave flaw - jenkinsenswer

Adobe plans in February to close a dangerous hole in its Shockwave application that causes the application to be downgraded when a user launches experienced multimedia system content, allowing hackers to target years-old vulnerabilities.

The U.S. Computer Emergency Zeal Team up (U.S. CERT) issued an advisory on the vulnerability, which could allow an attacker to deliver malware and execute discretionary code, considered to be one of the about dangerous kinds of flaws.

U.S. CERT notified Adobe of the problem on October 27, 2010, merely an Adobe spokesperson said Wed that the problem wish be closed with the next major kick upstairs of Shockwave, regular for February 12.

"We are not aware of any active exploits or attacks in the hazardous victimization this particular technique," said Wiebke Lips, senior manager with Adobe corporate communications. Adobe brick did non consider the issue a high take chances to users.

Shockwave is in use to play content created in Macromedia and Adobe brick Director, which offers advanced tools for creating mutual content, including Flash.

U.S. CERT cited Adobe brick documentation that says if a user encounters content that does non specify to wont the latest Shockwave version 11, an older ActiveX control is downloaded that pulls components of the older Shockwave 10 player. Shockwave uses an ActiveX control when content is requested within Microsoft's Internet Explorer and is present as a plugin in other browsers, according to U.S. CERT.

Flash flaws cited

The Shockwave 10 runtime contains vulnerabilities as well arsenic the coating's "Xtras," which are components of content. The downgrading of Shockwave to an sr. version also opens up Adobe brick's Flash multimedia system application for set on, the agency said.

"Because of this design, attackers give notice simply target vulnerabilities in the Shockwave 10 runtime, or some of the Xtras provided by Shockwave 10," U.S. CERT wrote. "For example, the legacy version of Shockwave provides Flash 8.0.34.0, which was released on November 14, 2006 and contains multiple, known vulnerabilities."

U.S. CERT has publicized two other document describing the issues with Xtras and Flash, which Adobe aforementioned IT is analyzing. The first concerns Shockwave's downgrading to an old Flash version, which affects both Windows and Apple's Macintosh. The second involves the problem of malicious Xtras.

"We are non aware of any activistic exploits Beaver State attacks in the chaotic using these techniques either," Lips said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Chitter: @jeremy_kirk