Adobe stalls Shockwave patch for two years

Adobe has failed to fix a dangerous remote code execution bug in Shockwave more than two years after it was reported.

The US computer emergency response team (CERT) reported the flaw in October 2010, noting that attackers could execute arbitrary code with user privileges.

"By convincing a user to view specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user," the agency wrote.

The software installs Xtras signed by Adobe or Macromedia without prompting the user, a function that allows attackers to target old and vulnerable Xtras. 

According to Adobe, Xtras are "'plug-in' code modules that let users add specialised capabilities and extended functionality to products."

The slim version of Shockwave bundled fewer Xtras, meaning attackers had more avenues of attack.

"Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself, this can allow an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played," the CERT warned.

Failed exploit attempts would likely result in denial of service conditions.

But Adobe issued a statement saying it will only fix the flaw, found by analyst Will Dormann, in February next year in line with its next major Shockwave Player release.

The US agency recommended users either restrict handling of untrusted director content, run NoScript to whitelist Shockwave Player web sites or disable Shockwave Player ActiveX control.

The February fix date also marks the end of version 6 of Java after which point security updates will cease for the Oracle ware.

Users should run the latest versions of Java and Shockwave or remove the software if they were not needed.

Copyright © SC Magazine, Australia