Shockwave shocker: Plugin includes un-patched version of Flash
Year-old bugs patched in Flash remain present in Shockwave
Adobe's latest Shockwave Player is riddled with 18 unpatched ageing Flash vulnerabilities raising concern and befuddlement in the US Computer Emergency Response Team.
The video platform used by 450 million people contained a standalone Flash player that had not been updated since January last year.
Since that time a host of Flash vulnerability fixes have been issued by Adobe, to address problems that allowed Windows and Mac machines to be hijacked if users viewed crafted or hijacked web pages.
Krebs on Security reports that Adobe plans to squash the bugged Flash version (11.5.502.146) in the next Shockwave release, but there's no word on when that's due.
Until then there's not much users can do other than uninstall Shockwave.
"By convincing a user to view a specially crafted Shockwave content an attacker may be able to execute arbitrary code with the privileges of the user," US CERT engineer Will Dormann said in a vulnerability note.
"We are currently unaware of a practical solution to this problem."
Users determined to view pre-millenium websites with Shockwave could reduce their attack surface by limiting access to Director content and running script-blocking extensions. Active X could also be killed off in Internet Explorer by tampering with the Registry.
It was unknown if Adobe would make an end of the inherently risky use of a stand-alone flash player and instead opt to use the system-wide and oft patched version.
Updates notwithstanding, security spooks of Vulture South's acquaintance recommend users put an axe to Shockwave where possible, along with Flash and Java. ®