If the Xtra is signed by Adobe or Macromedia, it will be installed automatically without any user interaction. When a Shockwave movie attempts to use an Xtra, it will download and install it as necessary. According to an advisory from US-CERT the problem is that Shockwave installs Xtras that are signed by Adobe or Macromedia without prompting, which can allow an attacker to target vulnerabilities in older Xtras. At issue is a feature of Adobe Shockwave that allows the installation of “Xtras,” downloadable components meant to interact with the media player. ![]() Shockwave is a browser plug-in that some sites require. CERT first warned Adobe about the vulnerability in October 2010, and Adobe says it won’t be fixing it until February 2013. The truly shocking aspect of this bug? U.S. Computer Emergency Readiness Team (US-CERT) is warning about a dangerous security hole in Adobe’s Shockwave Player that could be used to silently install malicious code. The Department of Homeland Security’s U.S.
0 Comments
Leave a Reply. |