VUPEN Vulnerability Research - Adobe Shockwave Player Multiple Code Execution Vulnerabilities I. BACKGROUND --------------------- "Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player. These people now have access to some of the best the Web has to offer including dazzling 3D games and entertainment, interactive product demonstrations, and online learning applications. Shockwave Player displays Web content that has been created by Adobe Director." from Adobe.com II. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered four critical vulnerabilities affecting Adobe Shockwave Player. These vulnerabilities are caused by memory corruptions, invalid index, and invalid pointer errors within the processing of malformed Shockwave content, which could allow attackers to execute arbitrary code via specially crafted web pages. VUPEN-SR-2009-15 - Adobe Shockwave String Length Code Execution Vulnerability VUPEN-SR-2009-14 - Adobe Shockwave Pointer Overwrite Code Execution Vulnerability VUPEN-SR-2009-13 - Adobe Shockwave Invalid Pointer Code Execution Vulnerability VUPEN-SR-2009-12 - Adobe Shockwave Invalid Index Code Execution Vulnerability III. AFFECTED PRODUCTS -------------------------------- Adobe Shockwave Player version 11.5.1.601 and prior IV. Exploits - PoCs & Binary Analysis -------------------------------------- Fully functional remote code execution exploits have been developed by VUPEN Security and are available with the in-depth binary analysis of the vulnerabilities through the VUPEN Exploits & PoCs Service. http://www.vupen.com/exploits V. SOLUTION ---------------- Upgrade to Adobe Shockwave Player version 11.5.2.602 : http://get.adobe.com/shockwave/ VI. CREDIT -------------- The vulnerabilities were discovered by Nicolas JOLY of VUPEN Security VII. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2009/3134 http://www.adobe.com/support/security/bulletins/apsb09-16.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3466 VIII. DISCLOSURE TIMELINE ----------------------------------- 2009-07-17 - Vendor notified 2009-07-17 - Vendor response 2009-10-27 - Status update received 2009-11-03 - Coordinated public Disclosure