Macromedia has fixed a flaw in its Shockwave Player's ActiveX installer that could allow PC compromise via arbitrary code.
The company told users on Thursday that the vulnerability has been fixed, and, because the flaw was in the installer, Shockwave Player users should take no further action.
The flaw affected the media player's versions 10.1.0.11 and earlier.
"Adobe has fixed the issue in the Shockwave Player ActiveX installer. Since the vulnerability occurs in the installer, no action needs to be taken by current Macromedia Shockwave Player customers," Macromedia said on its website. "Customers downloading and installing the latest Shockwave Player are also no longer vulnerable with the updated Shockwave Player ActiveX installer."
Macromedia said TippingPoint's Zero Day initiative reported the vulnerability.
To exploit the flaw, users would have to be redirected to a page including malicious code that would ask readers to install Shockwave Player.
Tipping Point, on the Zero Day Initiative website, said that the vulnerability was reported to Macromedia on Nov. 22 of last year, the same day a digital vaccine was released to TippingPoint customers. On Monday, flaw information was provided to ZDI security partners.
TippingPoint credited Peter Vreugdenhil with discovering the flaw. Secunia, which released an advisory for the "highly critical" flaw today, noted that users would have to be tricked into visiting a malicious site by social engineering.
"The vulnerability is caused due to a boundary error in the Installer ActiveX control. This can be exploited to cause a stack-based buffer overflow via overly long values passed in two specific parameters to the control," Secunia warned on its site. "Successful exploitation allows arbitrary code execution, but requires that the user is e.g. tricked into visiting a malicious web site that prompts the user to install Shockwave Player."