According to a report from security researcher Will Dormann at Carnegie Mellon University, the current download of Adobe’s Shockwave being shipped out to customers contains a version of Flash that is 15 months behind on security updates, hotfixes, and patched exploits.
The lack of updates on this particular version means that anyone who’s sought out of used a Flash crack in the past year and three months would be able to retroactively apply those tactics to a new computer, effectively bypassing any stops that Adobe has put in place in the time that’s passed since.
As if that weren’t bad enough, Dormann said it may actually be easier for attackers to exploit Flash vulnerabilities via Shockwave than it is to exploit them directly against the standalone Flash plugin itself. That’s due to the fact that because Shockwave has several modules which don’t opt in to trivial exploit mitigation techniques built into Microsoft Windows, such as SafeSEH, hackers are easily able to take advantage of the patch gap and slip into someone’s computer completely unnoticed.
“So not only are the vulnerabilities there, but they’re easier to exploit as well,” Dormann said. “One of the things that helps make a vulnerability more difficult [to exploit] is how many of the exploit mitigations a vendor opts in to. In the case of Shockwave, there are some mitigations missing in a number of modules, such as SafeSEH. Because of this, it may be easier to exploit a vulnerability when Flash is hosted by Shockwave, for example. By convincing a user to view a specially crafted Shockwave content an attacker may be able to execute arbitrary code with the privileges of the user.”
All versions of Shockwave are currently considered “unstable” by the researchers at KrebsOnSecurity, who have confirmed that the problem exists for all OS’s including Mac OSX, Windows, and Linux.
All in all there are around 20 different known vulnerabilities that have gone without a patch, many of which grant full remote access to any attackers who know how to bend the weakened code to their will on command.
The number of machines who have installed the under-updated version of the video playing platform is currently unknown, however it’s believed that with the length of time this download has been available on Adobe’s website, it could potentially affect tens of thousands of users if a cork isn’t placed in the bottle anytime soon.
Because vulnerabilities which have existed for months could easily be applied to this current version of Shockwave, it’s imperative that anyone who’s installed or used the program in the past few weeks to immediately uninstall the software suite, at least until Adobe releases a fix hopefully sometime in the very near future.