Summary:
- This vulnerability affects: Adobe Shockwave Player 12.0.7.148 and earlier, running on Windows and Macintosh computers
- How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave file
- Impact: An attacker can execute code on your computer, potentially gaining control of it
- What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (12.0.9.149) as soon as possible.
Exposure:
Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.
In a security bulletin released Tuesday, Adobe warned of two critical vulnerabilities that affect Adobe Shockwave Player 12.0.7.148 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail, only describing them as memory corruption vulnerabilities. The flaws share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit either of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.
If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.
As an aside, Adobe also released a security bulletin last week, fixing a zero day vulnerability in Flash Player. If you happened to miss that update, be sure to install it as well.
Solution Path
Adobe has released a new version of Shockwave Player, version 12.0.9.149. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.
For All WatchGuard Users:
Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave content (.SWF) via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox’s proxy services. That said, many websites rely on Shockwave for interactive content, and blocking it could prevent these sites from working properly.
Status:
Adobe has released a Shockwave Player update to fix these vulnerabilities.