Adobe Shockwave player installs Xtras without prompting
Adobe Shockwave Player
A vulnerability was reported in Adobe Shockwave.
Adobe Shockwave Player through 126.96.36.1998 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra.
By convincing a user to view a specially crafted Shockwave content, an attacker may be able to execute arbitrary code with the privileges of the user.
No solution was available at the time of this entry.
The vendor plans to issue a fix in February 2013.