CERT has issued a security advisory outlining three vulnerabilities in Adobe Shockwave Player through which attackers can execute remote code.
The software reportedly downloads software components, called "Xtras," without prompting the user, as long as those Xtras appear to have valid certificates from Adobe or Macromedia. But, this functionality apparently opens an exploit opportunity, especially when targeting older Xtras. If the user is tricked into clicking on malicious Shockwave content through a Web page, email or attachment, the attackers can execute remote code to gain control of the affected machine.
Two other vulnerabilities impact Flash runtime in similar fashions.
[Related: The 10 Biggest Security Stories Of 2012]
Shockwave Player, which is used to support Macromedia and Adobe-based active Web content, is available as an ActiveX control for Internet Explorer and as a plug-in for other browsers.
CERT identifies no available bug-fix at this time, and it recommends users limit access to Adobe Director files. The advisory further recommends that the Shockwave Player ActiveX control in Internet Explorer be disabled. It is also advised that users engage the NoScript extension to whitelisted websites that can run Shockwave Player in Mozilla Firefox.
Other recommendations involve the use of the Microsoft Enhanced Mitigation Experience Toolkit (EMET), enablement of Windows Data Execution Prevention (DEP) used in conjunction with Address Space Layout Randomization (ASLR), and use of the "Full" Shockwave installer instead of the "Slim" version.
"In order for an attacker to install an older, vulnerable Xtra on a system with Shockwave, that Xtra must not already be present on the system," says the advisory. "If you must have Shockwave installed, using the "Full" installer will cause more Xtras to be present, limiting the choices that an attacker may be able to leverage to exploit."
Development of corresponding patches is believed to be underway.
PUBLISHED DEC. 19, 2012