Adobe Shockwave Player Multiple Vulnerabilities

by Carol~ Moderator - 10/24/12 8:08 AM

In Reply to: VULNERABILITIES / FIXES - October 24, 2012 by Carol~ Moderator

Release Date : 2012-10-24

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: Adobe Shockwave Player 11.x

Description:
Multiple vulnerabilities have been reported in Adobe Shockwave Player, which can be exploited by malicious people to compromise a user's system.

1) An unspecified error can be exploited to cause a buffer overflow.

2) An unspecified error can be exploited to cause a buffer overflow.

3) An unspecified error can be exploited to cause a buffer overflow.

4) An unspecified error can be exploited to cause a buffer overflow.

5) An unspecified error can be exploited to cause a buffer overflow.

6) An array-indexing error can be exploited to corrupt memory.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code by tricking a user into viewing specially crafted Director content.

The vulnerabilities are reported in versions 11.6.7.637 and prior for Windows and Macintosh.

Solution:
Update to version 11.6.8.638.

Provided and/or discovered by:
1, 2, 3, 4, 6) Will Dormann, CERT/CC.
5) The vendor credits Honggang Ren, Fortinet's FortiGuard Labs.

Original Advisory:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb12-23.html

US-CERT VU#872545:
http://www.kb.cert.org/vuls/id/872545

http://secunia.com/advisories/51090/