The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) is warning about a dangerous security hole in Adobe’s Shockwave Player that could be used to silently install malicious code. The truly shocking aspect of this bug? U.S. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013.
Shockwave is a browser plug-in that some sites require. At issue is a feature of Adobe Shockwave that allows the installation of “Xtras,” downloadable components meant to interact with the media player. According to an advisory from US-CERT the problem is that Shockwave installs Xtras that are signed by Adobe or Macromedia without prompting, which can allow an attacker to target vulnerabilities in older Xtras.
From the advisory:
When a Shockwave movie attempts to use an Xtra, it will download and install it as necessary. If the Xtra is signed by Adobe or Macromedia, it will be installed automatically without any user interaction. Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself, this can allow an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played.
US-CERT warned that by convincing a user to view a specially crafted Shockwave content (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.
Reached via email, an Adobe spokeswoman confirmed that US-CERT had alerted the company about the flaw in October 2010, but said Adobe is not aware of any active exploits or attacks in the wild using this vulnerability.
“Adobe has been working on addressing this issue in the next major release of Adobe Shockwave Player, which is currently scheduled to be released in February 2013,” Adobe’s Wiebke Lips wrote.
Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.
If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.
Speaking of Java, Oracle shipped an update to its Java software, which brings the program to Java 7 Update 10 or Java 6 Update 38. There are bug fixes with these releases, but no official security updates. However, the Java 7 update does include some new functionality designed to make it easier to disable Java in the browser. Oracle is expected to stop shipping updates for Java 6 in February 2013.
Thomas Kristensen, chief security officer of security firm Secunia said he believes “these features do not make Java more secure in itself, however, it will likely make it easier for users to make their PCs more secure as it becomes easier to manage certain restrictions.” Readers who want more information about how to disable Java in the browser, and adopt my recommendation for a two-browser approach to using Java, can consult this blog post. Bottom line: If you don’t need Java, get rid of it.