www.esecurityplanet.com/news/article.php/3827171
Back to Article
Major Shockwave Security Flaw Fixed
By Sean Michael Kerner
June 26, 2009
From the 'doesn't everyone use Flash now?' files:
Adobe is advising users of its Shockwave player to update to a new version to protect against a critical remotely exploitable flaw.
The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions and according to Adobe's advisory, "... could allow an attacker who successfully exploits this vulnerability to take control of the affected system."
Adobe's new Shockwave Player 11.5.0.600 corrects the issue, though it requires users to uninstall their existing Shockwave player first.
While some might be alarmed by Adobe's disclosure, personally I don't see this flaw as a big issue at all -- though of course go and update now!
First off all, the flaw was responsibly disclosed first by way of the Tipping Point Zero Day Initiative (ZDI). The way that works is, ZDI pays the researcher for the flaw and then ZDI keeps the details under wraps until a fix exists.
Furthermore, according to the Internet Storm Center (ISC), no exploit details have been made public, and I have seen no indications at all that there is currently an exploit available in the wild (it doesn't mean there isn't one, just that none have been noticed --yet).
The other issue that needs to mentioned is the fact that Flash Player 10 and in general Flash Player, is at this point a more important player than Shockwave in my opinion. There was a time when the inverse was true, but that was many, many years ago.
So yes, go and patch your systems if you happen to be running Shockwave and while you're at it, make sure you've got the latest versions of Adobe Acrobat and Flash Player too.
Back to Article
Major Shockwave Security Flaw Fixed
By Sean Michael Kerner
June 26, 2009
From the 'doesn't everyone use Flash now?' files:
Adobe is advising users of its Shockwave player to update to a new version to protect against a critical remotely exploitable flaw.
The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions and according to Adobe's advisory, "... could allow an attacker who successfully exploits this vulnerability to take control of the affected system."
Adobe's new Shockwave Player 11.5.0.600 corrects the issue, though it requires users to uninstall their existing Shockwave player first.
While some might be alarmed by Adobe's disclosure, personally I don't see this flaw as a big issue at all -- though of course go and update now!
First off all, the flaw was responsibly disclosed first by way of the Tipping Point Zero Day Initiative (ZDI). The way that works is, ZDI pays the researcher for the flaw and then ZDI keeps the details under wraps until a fix exists.
Furthermore, according to the Internet Storm Center (ISC), no exploit details have been made public, and I have seen no indications at all that there is currently an exploit available in the wild (it doesn't mean there isn't one, just that none have been noticed --yet).
The other issue that needs to mentioned is the fact that Flash Player 10 and in general Flash Player, is at this point a more important player than Shockwave in my opinion. There was a time when the inverse was true, but that was many, many years ago.
So yes, go and patch your systems if you happen to be running Shockwave and while you're at it, make sure you've got the latest versions of Adobe Acrobat and Flash Player too.
Article courtesy of InternetNews.com.