Zero-day exploit for Adobe Shockwave
A Windows exploit for a previously undisclosed hole in Adobe's Shockwave player has been released. The demonstration version of the the exploit merely opens the Windows calculator when a specially crafted web page is accessed. However, criminals could exploit the hole to infect a PC with malware. The exploit currently only works under Windows XP SP3 and just triggered a browser crash when tested with Windows 7 and Internet Explorer by the The H's associates at heise Security.
The hole is caused by a flaw in the code for processing specially crafted data blocks in Director files. Adobe has confirmed the flaw for version 220.127.116.112 and earlier versions under Windows and Mac OS X. There is as yet no update, but the vendor is reportedly working on a solution to the problem.
Most users are unlikely to have installed the Shockwave player and its browser plug-in. Under Firefox and Google Chrome, the attack is ineffective. Internet Explorer, on the other hand, immediately tries to download and install the missing plug-in, but it at least requests the user's permission.
Shockwave offers an extended range of features compared with the Flash Player. It is typically used for rendering complex, interactive presentations, games and other applications. Whether Shockwave is installed on a system can be tested online: Test Adobe Shockwave Player.