Critical Shockwave Install Bug Fixed

A critical vulnerability in the popular Shockwave player was disclosed Thursday by a bug bounty program, and patched that same day by Adobe.

February 24, 2006

1 Min Read
NetworkComputing logo in a gray background | NetworkComputing

A critical vulnerability in the popular Shockwave player was disclosed Thursday by a bug bounty program, and patched that same day by Adobe.

TippingPoint's Zero Day Initiative -- one of two prominent reward programs that pay researchers for information about software vulnerabilities -- warned users that a malicious Web site could hijack a user's computer if the site convinced the visitor to install Shockwave, a player used on many sites to display multi-media content.

Shockwave's ActiveX installer was at fault, said TippingPoint in its advisory.

Adobe, meanwhile, repaired the defective ActiveX installer, and said "since the vulnerability occurs in the installer, no action needs to be taken by current Macromedia Shockwave Player customers."

In other words, Shockwave users can breathe easy.The bug's window of opportunity, however, was at least two month wide -- TippingPoint first notified Adobe of the bug on Nov. 22, 2005 -- although it's unknown how many (or if any) users might have been affected.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights