Researchers at VUPEN have discovered four major vulnerabilities and one minor in the Adobe Shockwave Player. The vulnerabilities are present in version 220.127.116.111 and those predating it. Adobe Shockwave is installed on over 450 million client systems world-wide.
The most problematic of the vulnerabilities can be exploited to execute arbitrary commands when a visitor views a malicious web page. Three of the vulnerabilities can be exploited to trick a user into visiting a malicious website. The vulnerability least at issue here is a possible denial of service to the Shockwave application caused by a faulty boundary condition.
When you put together the individual vulnerabilities, you can see that the exploitation of these issues is a one-two punch. First, a user can be redirected to a malicious web page where Shockwave will execute arbitrary code. These vulnerabilities affect all browsers, including Internet Explorer and Firefox. Adobe recommends updating Shockwave to their latest version, 18.104.22.1682, or higher.
Yet another reason that website administrators should invest in regular website scanning to discover malicious content that may be attacking their visitors.