Jump to content

Adobe Warns of Shockwave Bug


Recommended Posts

A security researcher has released an exploit for an unpatched security vulnerability in Adobe's Shockwave Player, warning that the flaw could be targeted to launch drive-by malware download attacks. Adobe has issued a security advisory to confirm the vulnerability and warn that the public attack code could provide a roadmap for malicious hackers to take complete control of a vulnerable computer.

Adobe rates the issue as "critical" and says the vulnerability affects Shockwave Player and earlier versions for Windows and Mac OS X.

A critical vulnerability exists in Adobe Shockwave Player and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system.

While details about the vulnerability have been disclosed publicly, Adobe is not aware of any attacks exploiting this vulnerability at this time.

Adobe did not say when a patch would be made available.

The company did not offer any pre-patch mitigations but said it was actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available.

Technical details on the vulnerability can be found here.

The vulnerability appears eerily similar to this issue that was patched in August but Adobe security chief Brad Arkin says they appear unrelated. Adobe is still conducting triage on the bug.

view.gif View: Original Article

Link to comment
Share on other sites

  • Replies 2
  • Views 920
  • Created
  • Last Reply

Adobe warned Thursday of a critical bug in its Shockwave Player that affects both Windows and Macintosh PCs.

The bug, which was publicly disclosed Thursday, "could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a message on its website.

In its security advisory, Adobe said it considers the issue "critical," and is working on a patch for the flaw. The company isn't saying when that patch will ship, however.

So far, there aren't any reports of attacks that leverage the bug, but this type of public disclosure of a serious bug is often a harbinger of future attacks.

Adobe's Reader software has been a regular target for Web-based attacks over the past year, and while the Shockwave Player is used by about half as many people as Reader, it's probably good enough for many hackers.

"Hundreds of millions of computers with Internet connectivity have Shockwave installed, so, this will obviously be an attractive target for attackers," security vendor Symantec said Thursday in an e-mailed statement.

If attacks do become a problem, users can disable Shockwave in their Web browsers until a patch becomes available.

The bug was found by Shahin Ramezany, a security researcher who said he released details of the problem to celebrate the fact that he now has 1,000 followers on Twitter. He had earlier promised to release an Adobe 0day when he crossed that threshold.

view.gif View: Original Article

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...