![]() ![]() “But that’s only a temporary fix, since Flash and Shockwave have different patch cycles.” “Reports indicate that Adobe is planning on bringing the Flash version up to date with the next Shockwave update,” Dormann said. “We are reviewing our security update process in order to mitigate risks in Shockwave Player,” Edell said.ĭormann, meanwhile, isn’t sure how much that will help. A week ago, Dormann updated a CERT alert from 2012 that was originally written two years earlier, warning users that Adobe still had not caught up to Shockwave’s shortcomings in this regard.Īdobe spokesperson Heather Edell told Threatpost today that the next release of Shockwave will include an updated version of Flash. “An attacker has not only the Flash attack surface, but all of the Shockwave attack surface at his disposal as well,” said Will Dormann, researcher at Carnegie Mellon University’s Software Engineering Institute. And, in the bargain, Adobe has known about the issue since October 2010. It’s bad enough that the Flash runtime bundled with Adobe’s Shockwave player is deficient in security patches going back to January 2013, but what’s worse is that the increased attack surface provided by Shockwave might make it easier to exploit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |