Adobe recently released version 220.127.116.118 of its Shockwave Player, patching several vulnerabilities that could allow an attacker to run malicious code on an affected system.
"Numerous critical flaws in Shockwave, which could allow an attacker to inject malicious code into a system, have been closed by Adobe with the release of Shockwave Player 18.104.22.1688 for Windows and Macintosh systems," The H Security reports. "Overall, the vulnerabilities have six CVE numbers assigned to them (CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-4176, CVE-2012-5273) and are mostly buffer overflows with one array out of bounds vulnerability."
"The company said it is not aware of active exploits," notes Threatpost's Michael Mimoso.
"Before you try to update Shockwave, you should check to see if your system even has it installed," advises Krebs on Security's Brian Krebs. "If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. If you update or install Shockwave, be on the lookout for pre-checked 'extras;' my test installation of this update tried to foist a 30-day trial of Norton Internet Security."