A poorly implemented feature in Adobe Shockwave Player could potentially let attackers upload vulnerable files into the browser plugin, exposing users to drive-by attacks and other problems, according to a warning issued by the US-CERT.
We are not aware of any active exploits or attacks in the wild using this particular technique.
Adobe Systems Inc.
The US-CERT said the weakness are contained in file packages commonly used to extend the functionality of the Shockwave Player called Xtras. The files are stored in the Shockwave movie itself, enabling an attacker to host old, vulnerable Xtras that can be installed and exploited automatically when a Shockwave movie is played, according to the advisory issued on Monday.
"If the Xtra is signed by Adobe or Macromedia, it will be installed automatically without any user interaction," The US-CERT warned.
The longstanding issue was brought to Adobe's attention in 2010, according to the advisory. It impacts users of the "Slim" version of Shockwave Player running on Mozilla Firefox and Internet Explorer.
The attack is fairly simple to carry out, though there have been no reports of it being actively used by cybercriminals. An attacker could convince a user to view malicious Shockwave content and then execute malicious code with the privileges of the user.
Adobe acknowledged the issue and said its engineering team plans to release an update in February fixing the problem.
"Adobe is working on addressing this issue in the next major release of Adobe Shockwave Player," the company said. "We are not aware of any active exploits or attacks in the wild using this particular technique."
The US-CERT said until an update is issued there is no practical solution available.
It said individuals and organizations can take steps to mitigate the threat by restricting the handling of untrusted Director content may help mitigate the flaw. Other workarounds include using browser plugins, such as NoScript and whitelisting only trusted websites that run Shockwave Player in Mozilla browsers. Enterprises can also disable Shockwave Player ActiveX control in Internet Explorer to mitigate the threat, though it could cause some problems in Web pages.
Windows users can add further protections by enabling data execution prevention (DEP), which can restrict the execution of code, making it harder for cybercriminals to target the flaw.