Adobe has confirmed the existence of an unpatched critical remote code execution vulnerability in Shockwave Player, which was publicly disclosed yesterday.The issue was identified by an outfit called Abyssec Security Research, which notes that it can be exploited by opening a specially crafted DIR or DCR file.
"A critical vulnerability exists in Adobe Shockwave Player 126.96.36.1992 and earlier versions on the Windows and Macintosh operating systems.
"This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system," Adobe writes in a newly published advisory.
The flaw is exploitable over the Web and can theoretically be used to infect users with malware via drive-by download attacks.
However, given that Adobe Shockwave is not as widespread as Adobe Flash Player, Adobe Reader, Java or other commonly targeted applications, this exploit might not be considered suitable for inclusion in Web attack toolkits.
It might be used for more targeted approaches, but so far Adobe is not aware of any exploitation attempts in the wild.
Nevertheless, the company is actively working with security vendors to add detection for it to their products.
The publicly released attack code was tested only on Windows XP with Service Pack 3, but the Abysssec researchers point out that the vulnerability is technically exploitable on Windows Vista and 7 as well.
Adobe Shockwave Player is a program designed to run multimedia applications created with Adobe Director. The Director authoring platform is similar to Flash, but offers more powerful options and features.
Flash established dominance over Director, as far as Internet dynamic content publishing goes, before 2000, when download footprint mattered. Shockwave Player is several times times bigger than Flash Player.
Adobe has not yet scheduled a fix for this vulnerability, so people who don't depend on the player, might want to consider uninstalling it from their computers until a patch becomes available.