Adobe Shockwave Player Xtras installation without a vulnerability prompt

Source: Internet
Author: User
Tags adobe shockwave

Release date:
Updated on:

Affected Systems:
Adobe Shockwave Player <= 11.5.7. 609
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56972
CVE (CAN) ID: CVE-2012-6271

Adobe Shockwave Player is a software used to play web content created using Macromedia and Adobe ctor.

Shockwave Player can be used as an ActiveX control of IE and other browser plug-ins. It can be installed "completely" or "streamlined". Xtras is not integrated during "streamlined" installation, when Shockwave tries to use Xtras, it downloads and installs Xtras as needed. If the Xtras has been signed by Adobe or Macromedia, it will be automatically installed. Because the Xtras download location is stored in the Shockwave video file and can be controlled by attackers, attackers can trick users into viewing the specially crafted Shockwave video file, attackers can exploit this vulnerability to download and install a vulnerable Xtras version in the locations controlled by attackers, and then use the vulnerable version of Xtras to execute arbitrary code with the current user permission.

<* Source: Will Dormann

Link: http://www.eeye.com/resources/security-center/research/zero-day-tracker/2012/20121217
Http://www.kb.cert.org/vuls/id/519137
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

* Restrict Access To ctor files;

* Disable the Shockwave Player ActiveX control in IE;

* Use Microsoft Enhanced Mitigation Experience Toolkit

* Enable DEP in Microsoft Windows

* Install Shockwave completely instead of simply

Vendor patch:

Adobe
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.adobe.com/support/security/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.