logo
DATABASE RESOURCES PRICING ABOUT US

Security update available for Shockwave Player

Description

Security update available for Shockwave Player Release date: February 8, 2011 Vulnerability identifier: APSB11-01 CVE number: CVE-2010-2587, CVE-2010-2588, CVE-2010-2589, CVE-2010-4092, CVE-2010-4093, CVE-2010-4187, CVE-2010-4188, CVE-2010-4189, CVE-2010-4190, CVE-2010-4191, CVE-2010-4192, CVE-2010-4193, CVE-2010-4194, CVE-2010-4195, CVE-2010-4196, CVE-2010-4306, CVE-2010-4307, CVE-2011-0555, CVE-2011-0556, CVE-2011-0557, CVE-2011-0569 Platform: Windows and Macintosh Summary Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions update to Adobe Shockwave Player 11.5.9.620 using the instructions provided below. Affected software versions Shockwave Player 11.5.9.615 and earlier versions for Windows and Macintosh Solution Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions upgrade to the newest version 11.5.9.620, available here: http://get.adobe.com/shockwave/. Severity rating Adobe categorizes this as a critical update and recommends that users apply the latest update for their product installation by following the instructions in the "Solution" section above. Details Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions update to Adobe Shockwave Player 11.5.9.620 using the instructions provided above. This update resolves a memory corruption vulnerability in the dirapi.dll module that could lead to code execution (CVE-2010-2587). This update resolves a memory corruption vulnerability in the dirapi.dll module that could lead to code execution (CVE-2010-2588). This update resolves an integer overflow vulnerability in the dirapi.dll module that could lead to code execution (CVE-2010-2589). This update resolves a use-after-free vulnerability that could lead to code execution (CVE-2010-4092). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-4093). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-4187). This update resolves a memory corruption vulnerability in the dirapi.dll module that could lead to code execution (CVE-2010-4188). This update resolves a memory corruption vulnerability in the IML32 module that could lead to code execution (CVE-2010-4189). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-4190). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-4191). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-4192). This update resolves an input validation vulnerability that could lead to code execution (CVE-2010-4193). This update resolves an input validation vulnerability in the dirapi.dll module that could lead to code execution (CVE-2010-4194). This update resolves an input validation vulnerability in the TextXtra module that could lead to code execution (CVE-2010-4195). This update resolves an input validation vulnerability in the Shockwave 3d Asset module that could lead to code execution (CVE-2010-4196). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-4306). This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-4307). This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2011-0555). This update resolves a memory corruption vulnerability in the Font Xtra.x32 module that could lead to code execution (CVE-2011-0556). This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2011-0557). This update resolves a memory corruption vulnerability in the Font Xtra.x32 module that could lead to code execution (CVE-2011-0569). Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: • Carsten Eiram, Secunia Research (CVE-2010-2587, CVE-2010-2588, CVE-2010-2589). • Krystian Kloskowski (h07), working with Secunia Research (CVE-2010-4092). • Will Dormann of CERT/CC (CVE-2010-4093, CVE-2010-4193, CVE-2010-4194, CVE-2010-4195, CVE-2010-4196). • Andrzej Dyjak of iDefense Labs (CVE-2010-4187). • Aaron Portnoy and Logan Brown, TippingPoint DVLabs (CVE-2010-4188). • Logan Brown and Aaron Portnoy, TippingPoint DVLabs(CVE-2011-0555, CVE-2011-0556). • Aaron Portnoy and Logan Brown, TippingPoint DVLabs (CVE-2010-4189). • Aniway and Luigi Auriemma through TippingPoint's Zero Day Initiative (CVE-2010-4190). • An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2010-4191). • Aniway through TippingPoint's Zero Day Initiative (CVE-2010-4192). • IBM X-Force (CVE-2010-4306, CVE-2010-4307). • An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2011-0557). • Logan Brown and Aaron Portnoy, TippingPoint DVLabs and Luigi Auriemma through TippingPoint's Zero Day Initiative (CVE-2011-0569).


Related