14 DAY TRIAL // Adobe has released an update for its Shockwave Player application addressing critical vulnerabilities, including a zero-day one, which is actively exploited in the wild.
The new Shockwave Player 11.5.9.615 version contains fixes for a total of eleven vulnerabilities that could lead to arbitrary code execution.
Six of the flaws are located in the dirapi.dll module and another two in IML32.dll. The rest of the bugs affect unspecified components.
One of the vulnerabilities, identified as CVE-2010-3653, was reported earlier this week by researchers from a group called Abyssec Security Research.
The flaw was disclosed as a zero-day and the Abyssec advisory included a full description of the vulnerable code and a proof-of-concept exploit.
According to Adobe's security bulletin accompanying this release, there are reports of CVE-2010-3653 being exploited in the wild already, so patching is mandatory.
Adobe Shockwave Player allows playing dynamic content created with Adobe Director, which is a more powerful alternative to Flash.
However, since the Flash technology has long won the popularity contest, there is few Director content on the Internet.
This is not the first time when Shockwave Player is attacked and will probably not be the last either, so unless it's really needed, people should consider uninstalling the application completely.
In related news, an actively exploited zero-day vulnerability currently affects Flash Player, Adobe Reader and Acrobat.
Adobe plans to release fixed versions for these programs during the second and third weeks of November, respectively.
However, until then, users are advised to disable SWF playback in PDF documents by renaming or deleting the authplay.dll file from the installation directories of Adobe Reader and Acrobat.
There are no reports of Flash Player being targeted directly at the moment, but there is a high possibility that it will be.
Unfortunately, disabling Flash Player altogether is impractical, because it can be very disruptive to the online experience.
Therefore, users are advised to keep their anti-malware programs up to date in order to prevent any potential exploit.
Mozilla Firefox users can also install the NoScript extension, which provides granular control over Flash content. This prevents automatic loading of potentially malicious SWF files.
The latest version of Shockwave Player for Windows can be downloaded here.
The latest version of Shockwave Player for Mac can be downloaded here.