The latest version of Shockwave Player, 11.6.7.638, patches six vulnerabilities. Five of them involve buffer overflows that could lead to code execution, while the sixth is an array out of bounds vulnerability that could lead to code execution.
Adobe classes the update as critical with a priority 2 rating. This means that a successful exploit could allow malicious code to run without the user’s knowledge (critical), but that there are currently no known exploits in the wild nor any immediate expectation of them (priority). For this reason it is important that administrators update their systems within the next 30 days.
Adobe claims that over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. This compares to more than 1.3 billion installations of Adobe’s more popular Flash Player. It is quite possible, therefore, that some users have installed Shockwave and forgotten about it. Users can check whether and which version is installed by visiting the Test Adobe Shockwave Player page. If an animation plays and the version number is given, then it is installed and may need to be updated. If users are prompted to download the Player it is not installed – and, suggests Brian Krebs, they probably don’t need it.
Krebs also warns that the download may attempt to install additional software. “If you update or install Shockwave,” he notes, “be on the lookout for pre-checked ‘extras’; my test installation of this update tried to foist a 30-day trial of Norton Internet Security.”