:: Deepquest ::

A security flaw in Adobe Systems’ Macromedia Shockwave Installer could put millions of PC users at risk of code execution attacks, the company warned in an advisory.
The flaw, which carries a “critical” rating, affects Shockwave Player 10.1.0.11 and earlier versions. According to Adobe’s advisory, the vulnerability occurs only during the installation process, and current users do not need to take action.

“Customers downloading and installing the latest Shockwave Player are also no longer vulnerable with the updated Shockwave Player ActiveX installer,” Adobe officials said.

The company credited Tipping Point’s Zero Day Initiative with reporting the issue, which is caused due to a boundary error in the Shockwave Installer ActiveX control. It sets up a scenario where a malicious hacker can trigger a stack-based buffer overflow via overly long values passed in two specific parameters to the control.

Security alerts aggregator Secunia warned that successful exploitation allows arbitrary code execution, but it requires that users are tricked into visiting a malicious Web site that prompts them to install Shockwave Player.

Users should only install Shockwave Player directly from Adobe’s Web site, Secunia officials said.

more from [url=http://www.eweek.com/article2/0,1895,1931039,00.asp]e-week[/url]