Adobe Shockwave Player Xtras installation without a vulnerability prompt

Release date:
Updated on:

Affected Systems:
Adobe Shockwave Player <= 11.5.7. 609
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56972
CVE (CAN) ID: CVE-2012-6271

Adobe Shockwave Player is a software used to play web content created using Macromedia and Adobe ctor.

Shockwave Player can be used as an ActiveX control of IE and other browser plug-ins. It can be installed "completely" or "streamlined". Xtras is not integrated during "streamlined" installation, when Shockwave tries to use Xtras, it downloads and installs Xtras as needed. If the Xtras has been signed by Adobe or Macromedia, it will be automatically installed. Because the Xtras download location is stored in the Shockwave video file and can be controlled by attackers, attackers can trick users into viewing the specially crafted Shockwave video file, attackers can exploit this vulnerability to download and install a vulnerable Xtras version in the locations controlled by attackers, and then use the vulnerable version of Xtras to execute arbitrary code with the current user permission.

<* Source: Will Dormann

Link: http://www.eeye.com/resources/security-center/research/zero-day-tracker/2012/20121217
Http://www.kb.cert.org/vuls/id/519137
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

* Restrict Access To ctor files;

* Disable the Shockwave Player ActiveX control in IE;

* Use Microsoft Enhanced Mitigation Experience Toolkit

* Enable DEP in Microsoft Windows

* Install Shockwave completely instead of simply

Vendor patch:

Adobe
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.adobe.com/support/security/