Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra.Referenceshttp://www.kb.cert.org/vuls/id/519137http://www.kb.cert.org/vuls/id/323161
