The full disclosure principle holds that the only certain way to ensure that vendors patch vulnerabilities is to make those vulnerabilities, including exploits, public knowledge. US-CERT’s official policy is that it “will not distribute exploits, if that's what ‘full disclosure’ means,” but that vulnerabilities “will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors.”
The new vulnerability note (Adobe Shockwave player vulnerable to downgrading) does not include an exploit, but does provide enough information for an exploit to be developed. Three questions have to be asked. Why has Adobe not fixed a vulnerability known for more than two years? Why did US-CERT wait for more than two years (rather than 45 days) before making the vulnerability public? Why has it gone public now?
The last is the most pressing question. Does it imply some knowledge or suspicion that this vulnerability is being or is likely to be exploited? Adobe has now indicated that it will be fixed in the next update scheduled for February next year, still leaving an extended window of opportunity for hackers. Adobe adds that it is unaware of any active exploits.
Shockwave plays active content developed in Macromedia and Adobe Director. The vulnerability is in the way it operates. From Adobe’s own whitepaper, “When the user launches Shockwave content from a browser, the Shockwave 11 ActiveX control is downloaded... If the HTML page does not specify the playerVersion as 11, the Shockwave 10.4.0.025 ActiveX control is downloaded silently, and installed.”
“Because of this design,” warns US-CERT, “attackers can simply target vulnerabilities in the Shockwave 10 runtime, or any of the Xtras provided by Shockwave 10. For example, the legacy version of Shockwave provides Flash 8.0.34.0, which was released on November 14, 2006 and contains multiple, known vulnerabilities.”
US-CERT is not aware of any solution to the problem, but does offer potential workarounds. Brian Krebs, however, does have a solution: “Shockwave,” he says, “is one of those programs that I’ve urged readers to remove or avoid installing.”