Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Security

Exploit published for unpatched Adobe Shockwave vulnerability

Summary: Adobe has issued a security advisory to confirm the vulnerability and warn that the public attack code could provide a roadmap for malicious hackers to take complete control of a vulnerable computer.

Ryan Naraine

By for Zero Day |

A security researcher has released an exploit for an unpatched security vulnerability in Adobe's Shockwave Player, warning that the flaw could be targeted to launch drive-by malware download attacks.

Adobe has issued a security advisory to confirm the vulnerability and warn that the public attack code could provide a roadmap for malicious hackers to take complete control of a vulnerable computer.

Adobe rates the issue as "critical" and says the vulnerability affects Shockwave Player 11.5.8.612 and earlier versions for Windows and Mac OS X. follow Ryan Naraine on twitter

A critical vulnerability exists in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system.

While details about the vulnerability have been disclosed publicly, Adobe is not aware of any attacks exploiting this vulnerability at this time.

Adobe did not say when a patch would be made available.

The company did not offer any pre-patch mitigations but said it was actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available.

Technical details on the vulnerability can be found here.

The vulnerability appears eerily similar to this issue that was patched in August but Adobe security chief Brad Arkin says they appear unrelated.  Adobe is still conducting triage on the bug.

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion

  • Wow!! It must be Thursday ....

    For pretty much the entire year, a vulnerability on an Adobe product is found (or notified) every Thursday.

    I think the Adobe is becoming like "old faithful" ... you can set your calendar by the release date of vulnerabilities.
    wackoae
    Reply Vote

    • RE: Exploit published for unpatched Adobe Shockwave vulnerability

      @wackoae

      Then you could also say that about ANY application, seeing as how most have reports of vulnerabilities that often.
      Lerianis10
      Reply Vote

  • No problem

    Uninstall Shockwave and then you will have no problem, at least with it. Seriously, as wackoae said, the fewer things you have that can go wrong make you that much more secure. Of course, if you were running Linux there would be no problem anyway since Shockwave is not available for Linux. You also don't need Adobe Reader except for filling in forms because evince (also available on Windows) is what you use instead. You could substitute gnash / swfdec for flash but I would advise dumping the flash to get rid of the dog and pony show which everybody puts on their home page. Actually the biggest threat from flash are those super cookies that three businesses are getting sued over, one of which is used by none other than Disney.
    hhhobbit
    Reply Vote

  • RE: Exploit published for unpatched Adobe Shockwave vulnerability

    This is about as newsworthy as Lindsey Lohan's under the influence problems, with Adobe's inability to patch their product in a timely manner.
    Did the sun rise? Then, adobe has a security hole.
    A more intriguing story would be Adobe hasn't NEEDED to patch their product for 3 hours in a row.
    LegendsOfBatman
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close