In association with heise online

19 December 2012, 20:14

Shockwave uses vulnerable Flash

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe logo

US-CERT has warned that a security hole exists in Adobe's Shockwave Player. Version and earlier versions that were installed using the company's "Full" installer are affected. These all include an older version of Flash ( that contains several exploitable vulnerabilities.

Shockwave uses a custom Flash runtime instead of a globally installed Flash plugin. According to US-CERT, the Flash vulnerabilities can be exploited to execute arbitrary code at the user's privilege level via specially crafted Shockwave content.

As the Shockwave Player tends to be used only rarely, simply uninstalling the software can already provide protection. Adobe is even offering an uninstaller for this purpose. Alternatively, a killbit can be set for protection. The killbit prevents the Shockwave ActiveX control from being instantiated by Internet Explorer. US-CERT has attached instructions for the workaround – including the required CLSID for the killbit – to its warning.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit