A flaw in Adobe's Shockwave movie software, first reported in October 2010, is not scheduled to be fixed until February 2013, according to Krebs on Security. Although Adobe claimed that there are no known exploits in the wild, blogger Brian Krebs referred to the delay in patching the software security flaw as "shocking" and underscored the weaknesses in the program.
"Shockwave is one of those programs that I’ve urged readers to remove or avoid installing," Krebs wrote. "Like Java, it is powerful and very often buggy software that many people have installed but do not really need for everyday Web browsing."
According to U.S. CERT, which discovered and disclosed the vulnerability to Adobe in October 2010, the flaw allows an attacker to exploit Shockwave's plug-ins, known as Xtras. Xtras signed by Adobe or Macromedia are installed automatically without user input. Since Xtras are stored in Shockwave movies, an attacker could set up a vulnerable Xtra to be installed and exploited automatically when a Shockwave movie is played.
Users are put at particular risk when they choose to perform a "Slim" install of Shockwave rather than a "Full" install. The "Slim" install setting includes fewer Xtras, leaving more openings for exploitable Xtras to be installed.
While there are workarounds for users waiting for an update, many, like Krebs, may consider two years to be an unacceptable time frame to release a patch. For developers looking to avoid a comparable security issue, source code analysis programs can provide a method of catching and preventing vulnerabilities prior to the release of software.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.