Feeds

Didn't you know? Today's Patch Thursday! Adobe splats hijack bug in Shockwave Player

Update now before someone reverse-engineers this RCE

Internet Security Threat Report 2014

Adobe has updated its Shockwave Player to close a security hole that could allow hackers to hijack vulnerable Windows and OS X computers.

The Photoshop giant said version 12.1.150 will address a flaw that enables an attacker to potentially remotely control a targeted system: a malicious file opened by Shockwave could exploit a memory corruption bug to perform remote code execution. Given the animation player runs in the user's browser, it would be trivial to take a swipe at passing web visitors.

The company said the flaw is present in the Windows and OS X versions of Shockwave Player, which is apparently installed on 450 million machines worldwide. No exploits targeting the flaw have been spotted as of yet. Discovery of the flaw was credited to Honggang Ren of FortiGuard Labs. The CVE ID assigned to the bug, CVE-2014-0505, was created on December 20 last year.

This critical Shockwave update comes two days after Adobe released a separate fix for a security vulnerability in its Flash Player software; such updates usually come out on the second Tuesday of every month to coincide with Microsoft's monthly Patch Tuesday security releases.

"At this time, only Adobe Reader, Acrobat and Flash are officially on a Patch Tuesday release schedule," an Adobe spokesperson told The Reg.

"We try to schedule security updates for other Adobe products on Patch Tuesdays as much as possible. In some instances, however, there are factors (such as engineering schedules) that require us to release updates on different dates."

Users can obtain the latest patched version of Shockwave Player from Adobe's Shockwave download site. Those who have not yet installed this month's Patch Tuesday updates, released earlier this week by Adobe and Microsoft, are encouraged to do so. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.