“But as you can see, the situation has not changed since then. “There may have been a point in time when the Flash version provided by Shockwave was ‘caught up’ with the standalone version,” Dormann said. No public exploits, however, have been reported that target the Flash Player bundled with Shockwave. Flash Player, meanwhile, has been updated many more times-almost monthly-including patches for a number of zero-day vulnerabilities targeted by criminals and nation-state hackers. Shockwave has been updated four times in the last 13 months, most recently in February. “But that’s only a temporary fix, since Flash and Shockwave have different patch cycles.” “Reports indicate that Adobe is planning on bringing the Flash version up to date with the next Shockwave update,” Dormann said. “We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.ĭormann, meanwhile, isn’t sure how much that will help. A week ago, Dormann updated a CERT alert from 2012 that was originally written two years earlier, warning users that Adobe still had not caught up to Shockwave’s shortcomings in this regard.Īdobe spokesperson Heather Edell told Threatpost today that the next release of Shockwave will include an updated version of Flash. “An attacker has not only the Flash attack surface, but all of the Shockwave attack surface at his disposal as well,” said Will Dormann, researcher at Carnegie Mellon University’s Software Engineering Institute.
And, in the bargain, Adobe has known about the issue since October 2010.
It’s bad enough that the Flash runtime bundled with Adobe’s Shockwave player is deficient in security patches going back to January 2013, but what’s worse is that the increased attack surface provided by Shockwave might make it easier to exploit.
0 kommentar(er)
