The U.S. Computer Emergency Readiness Team (US-CERT) has published an advisory warning that Adobe's Shockwave Player contains a vulnerable version of the Flash runtime, along with another advisory noting that Adobe Shockwave Xtras can be installed without prompting.
While both vulnerabilities were first disclosed in October of 2010, the advisories state that, in both cases, "We are currently unaware of a practical solution to this problem."
"Shockwave uses a custom Flash runtime instead of a globally installed Flash plugin," The H Security reports. "According to US-CERT, the Flash vulnerabilities can be exploited to execute arbitrary code at the user's privilege level via specially crafted Shockwave content."
Similarly, Threatpost's Michael Mimoso notes, "Shockwave movies that use Xtras install them as needed, and if the extension is signed by Adobe, it is installed without user interaction. Attackers are able to exploit this situation because the Xtras are stored in the Shockwave movie file; old extensions that are vulnerable to exploit can be installed automatically."
"The attack is fairly simple to carry out, though there have been no reports of it being actively used by cybercriminals," writes SearchSecurity's Robert Westervelt. "An attacker could convince a user to view malicious Shockwave content and then execute malicious code with the privileges of the user."
"Shockwave is one of those programs that I’ve urged readers to remove or avoid installing," writes Krebs on Security's Brian Krebs. "Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front."