Though most organizations do not need Adobe's Shockwave Player installed, some users at my organization do need it, so the US-CERT warning over a major security hole in Shockwave has me concerned. What steps can we take to secure this vulnerability and make Shockware as safe as possible for use?
Ask the Expert!
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
The US-Computer Emergency Readiness Team (US-CERT) issued a warning about three dangerous security holes in Adobe's Shockwave Player that could be used to silently install or run malicious code.
- Shockwave uses its own Flash runtime rather than the Flash Player installed on a user's system. The version that comes with Shockwave Player is Flash 10.2.159.1, which contains various known vulnerabilities that an attacker could exploit.
- Shockwave allows legacy versions of the runtime to be used to view content, meaning an attacker could start an older and unpatched version of Shockwave installed on a user's machine to show malicious content.
- Shockwave allows the installation of downloadable components called Xtras. Those signed by Adobe or Macromedia are automatically installed without prompting the user. Because the location from which Shockwave downloads the Xtra is stored in the Shockwave movie itself, this can allow an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played.
US-CERT told Adobe about this last vulnerability back in October 2010, but it wasn't fixed until the February 2013 release of the Shockwave Player! Organizations that haven't already upgraded Shockwave should obviously do so as soon as possible. Beyond that, taking steps to mitigate these kinds of vulnerabilities in the future is essential.
If it really is essential for some users to have Shockwave installed, then I would put them on a separate network segment. This enables you to isolate them from them rest of the network and apply stricter firewall rules. To exploit these vulnerabilities, an attacker must trick a user into visiting a site that is hosting a malicious movie. Deploy a Web security gateway that provides dynamic reputation-based URL filtering, on-the-fly lookups of shortened links and search-result cleansing to prevent users from inadvertently visiting sites that may host malicious Shockwave content. A refresher course in security awareness training covering the dangers of clicking on links in email from unknown sources will also help prevent users from being tricked into visiting malicious sites.
If users only need to visit specific sites hosting Shockwave content, those sites can be whitelisted by deploying Firefox with the NoScript extension, disabling Shockwave content from other sites. Remove the Shockwave Player from users' machines who do not need to view Shockwave content, or at least disable the Shockwave ActiveX control or plug-in in their browser.
Keeping software patched and up to date is a priority, of course; remember that Windows XP Service Pack 3 goes out of support in April 2014.
This was first published in May 2013