Adobe Shockwave bundles Flash that’s 15 months behind on security fixes

Adobe's Shockwave Player bundles a version of the company's Flash Player that is 15 months behind on security updates, a feature hackers can use to hijack both Windows PCs and Macs running it, a security expert has warned.

The advisory about the risk from Shockwave, which was published in late 2012 by security researcher Will Dormann for Carnegie Mellon University's CERT, escaped public notice until Wednesday, when it was reported by KrebsOnSecurity. In the 15 months since the initial post, Adobe has made little progress. According to reporter Brian Krebs, the current version of Shockwave for both Windows and Mac systems lacks any of the Flash security fixes released since January 2013. That includes almost 20 different patches for security holes, some that fixed critical holes that real-world hackers exploited in the wild to commandeer end users' computers. According to Krebs:

As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s because Shockwave has several modules that don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH.

“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example.”

Adobe spokeswoman Heather Edell confirmed that CERT’s information is correct, and that the next release of Shockwave Player will include the updated version of Flash Player.

“We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.

In the interest of reducing the "attack surface"—that is, the number of potentially exploitable components available for malicious hackers to target—Ars has long advised readers to strongly consider uninstalling Flash, Java, and other browser plugins that may provide more hazard than benefit. Readers should put Shockwave at the top of this list. This link shows that Shockwave is installed by prompting (or in the case of Google Chrome, initiating) a download on machines that don't have it. Mozilla Firefox users shouldn't confuse "Shockwave Flash" with "Shockwave Player." Adobe provides an uninstall tool here.

Read on Ars Technica | Comments