Shockwave uses vulnerable Flash
US-CERT has warned that a security hole exists in Adobe's Shockwave Player. Version 220.127.116.118 and earlier versions that were installed using the company's "Full" installer are affected. These all include an older version of Flash (10.2.159.1) that contains several exploitable vulnerabilities.
Shockwave uses a custom Flash runtime instead of a globally installed Flash plugin. According to US-CERT, the Flash vulnerabilities can be exploited to execute arbitrary code at the user's privilege level via specially crafted Shockwave content.
As the Shockwave Player tends to be used only rarely, simply uninstalling the software can already provide protection. Adobe is even offering an uninstaller for this purpose. Alternatively, a killbit can be set for protection. The killbit prevents the Shockwave ActiveX control from being instantiated by Internet Explorer. US-CERT has attached instructions for the workaround – including the required CLSID for the killbit – to its warning.