MS-ISAC ADVISORY NUMBER:
2009-037

DATE(S) ISSUED:
6/25/2009

SUBJECT:
Vulnerability in Adobe Shockwave Player Could Allow Remote Code Execution

OVERVIEW:

A vulnerability has been identified in Adobe Shockwave Player that could allow remote code execution. Adobe Shockwave Player is a widely distributed multimedia playback application. This vulnerability can be exploited by visiting a web page or by opening an email attachment that contains a malicious Adobe Director file (.dcr files). Successful exploitation may result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

SYSTEMS AFFECTED:

  • All version prior to and including Adobe Shockwave Player 11.5.0 596

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been identified in Adobe Shockwave Player that could allow for remote code execution. The vulnerability is triggered by opening a specially crafted Adobe Director file that causes a memory dereferencing error which may overwrite an unspecified 4-byte pointer when the application parses the file. There are no known exploits currently available.

Successful exploitation may result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

To remediate this issue, it is recommended by Adobe that all versions of Shockwave Player up to version 11.5.0.596 be removed, and that Shockwave Player 11.5.0.600 be installed.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • All versions of Shockwave Player up to version 11.5.0.596 should be removed, and Shockwave Player 11.5.0.600 be installed.
  • Consider blocking Adobe Director files (.dcr files) at the network perimeter.
  • Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Do not open email attachments from unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-08.html(New Window)

TippingPoint Zero Day Initiative:
http://www.zerodayinitiative.com/advisories/ZDI-09-044/(New Window)

Secunia:
http://secunia.com/advisories/35544/(New Window)

Security Focus:
http://www.securityfocus.com/bid/35469(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=2009-1860(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.