Under certain circumstances, Adobe Shockwave Player will install an older version of the runtime, when legacy components are required by a Shockwave file. This enables attackers to target known vulnerabilities that exist in legacy components, which opens users up to the potential to be exploited.
VU#323161 (no CVE listed):
The full installer for Adobe Shockwave Player 18.104.22.1688 installs an old version of Flash Player (10.2.159.1), which contains multiple vulnerabilities known to be exploitable. Users who use this full installer leave themselves open to attackers who attempt to exploit vulnerabilities in that version of Flash Player.
In the case that Adobe Shockwave Player is missing a component, known as an Xtra, it will be downloaded so that the Shockwave content can be played. If Adobe or Macromedia has signed the Xtra that is downloaded, the Xtra will be installed automatically with no user interaction. However, since the URL used to download the Xtra can be provided by the Shockwave file that requires the component, an attacker could provide a URL to a vulnerable version of an Xtra that has been signed by Adobe/Macromedia. The attacker could then exploit that vulnerable Xtra, granting them the ability to execute arbitrary code on the user’s system.
Adobe Shockwave Player 22.214.171.1248 and earlier
Remote Code Execution
Remote Code Execution Exploitation of these vulnerabilities is possible through the use of methods like drive-by attacks. Remote attackers who successfully exploit this vulnerability will be able to execute code on the vulnerable system with the same rights as the currently logged on user.
BeyondTrust Prevention and Detection:
Block the Shockwave Player ActiveX control in Internet Explorer by setting killbits for the following CLSIDs: