Adobe Shockwave Player downgrade Installation Vulnerability

Source: Internet
Author: User
Tags adobe shockwave

Release date:
Updated on:

Affected Systems:
Adobe Shockwave Player <= 11.5.7. 609
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56972
CVE (CAN) ID: CVE-2012-6270

Adobe Shockwave Player is a software used to play web content created using Macromedia and Adobe ctor.

Shockwave Player may automatically install the earlier runtime version. As a result, attackers can exploit the earlier version to launch remote attacks.

When you view Shockwave content in a browser, the Shockwave 11 ActiveX control is downloaded to the <% System %>/Adobe/Shockwave 11 folder. If the download version is not specified as 11 on the HTML page, Shockwave 10.4.0.025 ActiveX is downloaded by default and installed in the <% System %>/Macromed/Shockwave10 folder. The automatic Shockwave update mechanism is only installed on version 11. If you want to play the content of the old version, you can set the compatibility parameter to 10 or blank to download Shockwave 10.4.0.025. This design allows attackers to exploit the Shockwave 10 runtime vulnerability to execute arbitrary code.

<* Source: Will Dormann

Link: http://www.eeye.com/resources/security-center/research/zero-day-tracker/2012/20121217
Http://www.kb.cert.org/vuls/id/546769
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

* Restrict Access To ctor files;

* Disable the Shockwave Player ActiveX control in IE;

* Use Microsoft Enhanced Mitigation Experience Toolkit

* Enable DEP in Microsoft Windows

* Install Shockwave completely instead of simply

Vendor patch:

Adobe
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.adobe.com/support/security/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.