The critical Shockwave flaws "could enable an attacker to run malicious code on the affected system”, Adobe warned in a security update. The company advised users to update to the latest version of Shockwave.
The Shockwave security update resolves a heap overflow vulnerability that could lead to code execution (CVE-2012-0758) and eight memory corruption vulnerabilities that could lead to code execution (CVE-2012-0757, CVE-2012-0759, CVE-2012-0760, CVE-2012-0761, CVE-2012-0762, CVE-2012-0763, CVE-2012-0764, and CVE-2012-0766).
Adobe acknowledged the help of Honggang Ren of Fortinet’s FortiGuard Labs and 'instruder' of Code Audit Labs in finding and fixing the Shockwave vulnerabilities.
For the RoboHelp vulnerability, a “specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word." Adobe thanked David Damstra of CU*Answers for reporting this flaw.
As reported by Infosecurity, Adobe plugged four critical memory corruption flaws in Shockwave last November.
That update plugged a memory corruption vulnerability in the DIRapi library that could lead to code execution (CVE-2011-2446); a memory corruption vulnerability that could lead to code execution (CVE-2011-2447); a memory corruption vulnerability in the DIRApi library that could lead to code execution (CVE-2011-2448); and multiple potential memory corruption vulnerabilities in the TextXtra module that could lead to code execution (CVE-2011-2449).