• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Latest Version of ShockWave Corrects a Pair of Critical Flaws

February 12, 2014 By Corey Nachreiner

Summary:

  • This vulnerability affects: Adobe Shockwave Player 12.0.7.148 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave file
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (12.0.9.149) as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

In a security bulletin released Tuesday, Adobe warned of two critical vulnerabilities that affect Adobe Shockwave Player 12.0.7.148  for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail, only describing them as memory corruption vulnerabilities. The flaws share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit either of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

As an aside, Adobe also released a security bulletin last week, fixing a zero day vulnerability in Flash Player. If you happened to miss that update, be sure to install it as well.

Solution Path

Adobe has released a new version of Shockwave Player, version 12.0.9.149. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave content (.SWF) via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox’s proxy services. That said, many websites rely on Shockwave for interactive content, and blocking it could prevent these sites from working properly.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

  • Adobe’s February 2014 Shockwave Player Security Bulletin

Share This:

Related

Filed Under: Security Bytes Tagged With: Adobe, shockwave

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use