Adobe Shockwave Player 18.104.22.1682 and earlier versions on the Windows and Macintosh operating systems contain a critical vulnerability in the handling of "rcsL" chunks.
Adobe Macromedia Shockwave Player is software that plays active web content developed in Macromedia and Adobe Director. Shockwave Player is available as an ActiveX control for Internet Explorer and as a plug-in for other web browsers.
A vulnerability has been discovered in Shockwave Player that can be exploited by an attacker to execute arbitrary code on a user's system. An attacker can create a specially crafted Adobe Director file with a specific value in an "rcsL" field causing an array-indexing error. More details are available in Adobe Security Bulletin APSA10-04.
A remote, unauthenticated attacker may be able to execute arbitrary code or cause the Shockwave player to crash.
Adobe recommends users of Adobe Shockwave Player 22.214.171.1242 and earlier versions upgrade to the newest version 126.96.36.1995. APSB10-25 contains more details.
Limit access to Director files
Thanks to Adobe and Secunia for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2010-10-22|
|Date Last Updated:||2010-10-29 12:24 UTC|