14 DAY TRIAL // A new version of Shockwave Player has been released to address critical vulnerabilities that can be exploited to execute arbitrary code remotely.
The new Adobe Shockwave Player 11.6.1.629 version fixes seven memory corruption vulnerabilities that can lead to full system compromise.
Mark Yason of IBM X-Force is credited with discovering and reporting two of the flaws, identified as CVE-2010-4308 and CVE-2010-4309 respectively.
A separate remote code execution vulnerability (CVE-2011-2419) in the IML32.dll component was identified by Aaron Portnoy and Logan Brown of TippingPoint DVLabs.
Researcher Andrzej Dyjak from the Polish Japanese Institute of Information Technology is credited with the discovery of three vulnerabilities (CVE-2011- 2420, CVE-2011-2422, CVE-2011-2423).
One of them (CVE-2011-2421) is located in Dirapi.dll and can be exploited by tricking victims into playing maliciously crafted .dir media files.
The final vulnerability patched in this release (CVE-2011- 2421) is a memory corruption issue in the msvcr90.dll component and was attributed to Honggang Ren of Fortinet's FortiGuard Labs.
Adobe Shockwave Player allows playing dynamic content created with Adobe Director which is a more powerful alternative to Flash. However, the Flash technology has long won the popularity contest and there is little Director content on the Internet.
Despite its lower installation count, there have been cases when Shockwave Player vulnerabilities were targeted in the wild. "Adobe recommends users of Adobe Shockwave Player 11.6.0.626 and earlier versions update to Adobe Shockwave Player 11.6.1.629," the company writes.
Users who have Shockwave Player installed on their computers but don't remember ever needing it, should probably remove it. Adobe also released a critical security update for Flash Player yesterday, which users are also strongly encouraged to deploy as soon as possible.
The latest version of Shockwave Player for Windows can be downloaded from here. The latest version of Shockwave Player for Mac can be downloaded from here.