CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2010-093

DATE(S) ISSUED:
10/21/2010

SUBJECT:
Vulnerability in Adobe Shockwave Player Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been discovered in Adobe Shockwave Player that could allow remote code execution. Adobe Shockwave Player is a widely used multimedia application used to display animations and video when visiting web sites. This vulnerability can be exploited by visiting a web page that contains a malicious Adobe Shockwave file. Successful exploitation may result in an attacker gaining the same privileges as the logged on user within the scope of the application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

Please note that there is no patch available for this vulnerability. Exploit code is publicly available but we have not received any reports of active exploitation.

SYSTEMS AFFECTED:

  • All versions prior to and including Adobe Shockwave Player 11.5.8.612

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been discovered in Adobe Shockwave Player that could allow for remote code execution because it fails to properly parse 'rcsL' chunks of the Director's RIFF-based file format.  This could all allow an attacker to change the value of the EAX register in order to control the pointer responsible for calculating an offset into a heap-based buffer. This vulnerability can be exploited if a user visits a specially crafted web page designed to exploit this vulnerability. Successful exploitation may result in an attacker gaining the same privileges as the logged on user within the scope of the application. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

Please note that there is no patch available for this vulnerability. Exploit code is publicly available but we have not received any reports of active exploitation.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Adobe to vulnerable systems as soon as they become available.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Security Focus:
http://www.securityfocus.com/bid/44291