Adobe Shockwave Player 18.104.22.168 and earlier versions on the Windows and Macintosh operating systems provide a vulnerable version of the Flash runtime.
Adobe Macromedia Shockwave Player is software that plays active web content developed in Macromedia and Adobe Director. Shockwave Player is available as an ActiveX control for Internet Explorer and as a plug-in for other web browsers. Shockwave is also available in "Full" and "Slim" installers. The "Slim" installer provides fewer Xtras, which may be installed on an on-demand basis when a Shockwave movie attempts to use them.
The "Full" installer for Shockwave player 22.214.171.124 provides Flash version 11.5.502.146, which was released on January 8, 2013.This version of Flash contains several exploitable vulnerabilities. Note that Shockwave uses its own Flash runtime, provided by the file Flash Asset.x32, rather than using a Flash runtime that may be installed on a system-wide basis.
By convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2012-12-17|
|Date Last Updated:||2014-05-15 18:40 UTC|