The United States Computer Emergency Readiness Team (US-CERT) has issued an advisory to warn users about a vulnerability – affecting Adobe Shockwave Player Player 220.127.116.118 and earlier versions for Windows and Mac – which could be leveraged by cybercriminals to execute arbitrary code on the target system.
Apparently, the full version of Shockwave player 18.104.22.1688 comes with Flash 10.2.159.1. This Flash version is the component that contains the security holes.
According to experts, an attacker can execute arbitrary code with the privileges of the victim, simply by convincing them to view maliciously crafter Shockwave content.
The US-CERT reveals that, despite the fact that Adobe has been aware of the issue for over two years (since October 2010), the hole still hasn’t been fixed and, currently, there are no known practical mitigations.
The agency advises users to apply a series of workarounds, including disabling Shockwave Player in their browsers, and the use of Microsoft’s EMET and the Data Execution Prevention (DEP) mechanisms available in newer versions of the Windows operating system.
Adobe representatives have told Brian Krebs that they’ve been working on addressing this issue in the next major update, which is scheduled to be released in February 2013.