It was recently discovered that Adobe Shockwave has been bundling a version of Flash Player that is over fifteen months old, and behind on important security updates.
From the Vulnerability Notes Database at kb.cert.org:
Adobe Macromedia Shockwave Player is software that plays active web content developed in Macromedia and Adobe Director. Shockwave Player is available as an ActiveX control for Internet Explorer and as a plug-in for other web browsers. Shockwave is also available in “Full” and “Slim” installers. The “Slim” installer provides fewer Xtras, which may be installed on an on-demand basis when a Shockwave movie attempts to use them.
The “Full” installer for Shockwave player 12.1.1.151 provides Flash version 11.5.502.146, which was released on January 8, 2013.This version of Flash contains several exploitable vulnerabilities. Note that Shockwave uses its own Flash runtime, provided by the file Flash Asset.x32, rather than using a Flash runtime that may be installed on a system-wide basis.
It says that by convincing a user to view s specially crafted Shockwave content, such as a web page or HTML email message attachment, an attacker could execute arbitrary code “with the privileges of the user.”
It then said it’s currently unaware of a practical solution to the problem.
“This author has long advised computer users who have Adobe‘s Shockwave Player installed to junk the product, mainly on the basis that few sites actually require the browser plugin, and because it’s yet another plugin that requires constant updating,” wrote Brian Krebs on the KrebsOnSecurity blog. “But I was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it.”
The story was also picked up by popular tech blog Ars Technica, which points to an uninstall tool from Adobe.
Image via Adobe