Adobe Shockwave Includes Severely Outdated Version of Flash
Take a moment to check & see if you have Adobe Shockwave Player installed on your computer.
Adobe Shockwave Player for both Windows & Mac includes a vulnerable version of Flash (version 11.5.502.146) that attackers can exploit to take control of the affected system.
The vulnerability was initially discovered & reported to Adobe back in December of 2012 by Will Dormann, a security researcher on Carnegie Mellon University’s Computer Emergency Response Team (CERT). There wasn’t much fuss then, but the vulnerability is finally getting the attention it deserves after catching the eye of Brian Krebs of KrebsonSecurity, who caught wind of it after Dormann commented on a post reviewing the adoption rate of Adobe Flash Player updates.
In his 2012 advisory, Dormann wrote that Shockwave Player 220.127.116.11 (the current version) comes with Flash version 11.5.502.146, which was last updated January 2013 and contains several exploitable vulnerabilities. This is bad news considering Shockwave Player uses its bundled outdated version of Flash versus whatever version may be installed on a system-wide basis.
As a result, attackers can exploit the vulnerability & execute arbitrary code on the target computer by tricking the user into visiting a website containing specially crafted Shockwave content.
Despite being notified of the vulnerability 15 months ago, Adobe has done little to address the issue, but a spokesperson for Adobe told KrebsOnSecurity that they plan on rolling in an updated version of Flash Player in the next Shockwave Player update.
Do You Have Shockwave Player Installed?
Users can check whether or not they even have Shockwave Player installed by visiting the Test Shockwave Player page on Adobe’s website.
If you see an animation on that page, you have it installed. If you’re prompted to download Shockwave, or if a .dcr file is downloaded (which only seems to happen in Google Chrome), then you do not have it installed.
Want to Remove Shockwave Player?
If you have Shockwave Player installed and you don’t need/want it, you can use Adobe’s uninstallation tool to get rid of it.
Have Shockwave Player Installed & Want to Protect Your PC?
If you have Shockwave Player installed and you wish to keep it, you may want to consider using one of the following workarounds:
- Use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
- Disable Shockwave Player ActiveX control in Internet Explorer
- Limit access to director files
- Enable DEP in Microsoft Windows
Instructions on how to apply these temporary workarounds can be found in Dormann’s advisory: Vulnerability Note VU#323161.