Overview
Adobe Shockwave Player 11.6.7.637 and earlier versions on the Windows and Macintosh operating systems contain critical vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Adobe Macromedia Shockwave Player is software that plays active web content developed in Macromedia and Adobe Director. Shockwave Player is available as an ActiveX control for Internet Explorer and as a plug-in for other web browsers. Multiple vulnerabilities have been discovered in Shockwave Player and its Xtra components that can be exploited by an attacker to execute arbitrary code on a user's system. More details are available in Adobe Security Bulletin APSB12-23. |
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), Microsoft Office document, or any other document that supports embedded Shockwave content, an attacker may be able to execute arbitrary code |
Solution
Apply an update |
Limit access to Director files |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.8 | E:POC/RL:OF/RC:C |
Environmental | 5.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
These vulnerabilities were reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
CVE IDs: | CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, CVE-2012-4176 |
Date Public: | 2012-10-23 |
Date First Published: | 2012-10-23 |
Date Last Updated: | 2014-08-15 02:50 UTC |
Document Revision: | 15 |