Adobe Systems Inc. issued an advisory, Thursday, warning about a critical zero-day vulnerability in Shockwave Player that could cause the program to crash and enable an attacker to take complete control of a victim's system.
Adobe said it was not aware of any attacks exploiting the vulnerability, but security experts said Thursday that exploit code targeting the new zero-day has surfaced. The zero-day flaw affects Adobe Shockwave Player 126.96.36.1992 and earlier versions running on Windows and Mac OS X.
"We are currently working on determining the schedule for an update to address this vulnerability in Adobe Shockwave Player," Adobe said in its security advisory.
The vulnerability was disclosed by researchers at Abysssec, a security consultancy that does penetration testing, reverse engineering and coding projects. In an advisory, the firm said an attacker could remotely exploit the Shockwave Player memory corruption error. The flaw is in the way the player's plug-in loads Adobe Director video files.
Abyssec said security protections in Windows 7 and Windows Vista would not protect users.
Danish vulnerability clearinghouse Secunia rated the vulnerability "extremely critical." In its advisory, Secunia said the Shockwave Player flaw is due to an array-indexing error.
- Robert Westervelt