20 Dec 2012

Shockwave Remote Code Execution Bug Waiting February Patch, Adobe Says

A two-year-old Shockwave vulnerability that allows for remote code execution on user machines will be patched in February of 2013, according to an Adobe spokesperson.

The vulnerability enables attackers to downgrade Shockwave to a more vulnerable version, which can be exploited via several vulnerabilities. Although it has been two years since the U.S. Computer Emergency Readiness Team (U.S. CERT) issued an advisory, no in-the-wild attacks were reported.

Because Shockwave is tightly integrated with other Adobe software, such as Flash, it also opens up the possibility of security breaches that could affect other software as well.

"Because of this design, attackers can simply target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10," U.S. CERT wrote. "For example, the legacy version of Shockwave provides Flash, which was released on November 14, 2006 and contains multiple, known vulnerabilities."

Although two warnings were published by U.S. CERT on the matter, Adobe will focus on fixing the Flash issue as it affects both PC and Mac users. Saying that they “are not aware of any active exploits or attacks in the wild using these techniques,” Wiebke Lips, senior manager with Adobe corporate communications, believes the vulnerabilities are not as dangerous as they seem.

With no specific date as to when a patch for the browser-based vulnerability will become available, Adobe plans to fix the issue as timely as possible.