14 DAY TRIAL // Adobe has announced a new version of its Shockwave platform, which fixes a critical security vulnerability revealed by Microsoft yesterday in its Active Template Library (ATL). The vulnerability affected the Internet Explorer versions of Adobe's Shockwave player as well as Flash Player. Shockwave 11.5.0.601 was released yesterday to remedy the problem and a new version of the Flash player will be released on July 30.
“Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability,” reads the Security Bulletin for the vulnerability.
The critical Microsoft vulnerability could potentially allow an attacker to run arbitrary code and take control of the system. The new update closes that vulnerability but Adobe still recommends users to install the Microsoft patch for the bug as well.
Adobe's Product Security Incident Response Team (PSIRT) announced that only Shockwave and Flash were affected by the bug, with the Adobe Reader browser plugin, Connect Pro, Flash Lite for mobile devices and other products safe from the vulnerability. Furthermore, the problem only extends to Internet Explorer on Windows whereas versions of the two plugins for Firefox and other browsers running on Windows as well as other platforms like Linux, Mac or Solaris are not affected.
The bug fix was integrated in a regularly scheduled update for Shockwave which also brings several other fixes. Most notably, a memory leak in the Physics module was fixed as was a Font Style problem. The GetPref() method was modified so that it will also read Shockwave 10 preferences if the ones for the latest version aren't available. Finally a problem with “Bounding Sphere” in Physics was also solved.
Adobe Shockwave Player 11.5.1.601 is available for download here.