Adobe has failed to fix a remote code execution bug in Shockwave, more than two years after it was reported.
According to the US computer emergency response team (Cert), the flaw was reported in October 2010. "By convincing a user to view specially crafted Shockwave content (e.g. a web page or a HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user," the agency wrote.
The software installs Xtras signed by Adobe or Macromedia without prompting the user, a function that allows attackers to target old and vulnerable Xtras. According to Adobe, Xtras are "plug-in code modules that allow users to add specialised capabilities and extended functionality to products".
The slim version of Shockwave bundled fewer Xtras, meaning attackers had more avenues of attack.
The Cert said: “Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself, this can allow an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played.”
Failed exploit attempts would likely result in denial-of-service conditions. Adobe issued a statement saying it will only fix the flaw, found by analyst Will Dormann, in February next year in line with its next major Shockwave Player release.
The US agency recommended users either restrict handling of untrusted director content, run NoScript to whitelist Shockwave Player websites or disable Shockwave Player ActiveX control.Security blogger Brian Krebs called the delay ‘shocking'. He said: “Shockwave is one of those programs that I've urged readers to remove or avoid installing. Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday web browsing.
“Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.”
Adobe recently announced plans to align their patching alongside Microsoft's Patch Tuesday, as did Google. Ziv Mador, director of security research at Trustwave, said: “Due to our dependence on Flash, there is indeed a co-dependent relationship between Microsoft, Adobe and Google. Interestingly, a large number of Flash security updates are now originating from Google, so the cooperation does seem to be going both ways.
“Synchronising these platforms is generally a good thing, so long as they remain committed to pushing out-of-cycle patches when they are necessary.”