Adobe Corrects 18 Shockwave Security Flaws 

Severity: High

12 May, 2010

Summary:

§  This vulnerability affects: Adobe Shockwave Player 11.5.6.606 and earlier, running on Windows and Macintosh computers

§  How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave or Director file

§  Impact: An attacker can execute code on your computer, potentially gaining control of it

§  What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.5.7.609) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

In a security bulletin released late Tuesday, Adobe warned of eighteen critical vulnerabilities that affect Adobe Shockwave Player 11.5.6.606 for Windows and Macintosh (as well as all earlier versions). Adobe's bulletin doesn't describe the flaws in much technical detail. It only describes the nature of each flaw, and its basic impact. For the most part, the flaws consist of memory related vulnerabilities, including buffer overflows, integer overflows, and various other memory corruption flaws. Though these flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user's computer, with that user's privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. Adobe's alert doesn't describe what type of Shockwave content triggers these various flaws. However, other researchers alerts have disclosed malicious Shockwave (.SWF) and Director (.DCR) files can trigger these vulnerabilities.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

As an aside, Adobe also released a security bulletin to fix three less severe vulnerabilities in their web application server, ColdFusion. We suspect few of our customers use this less popular application server. However, if you do, we recommend you follow the instructions in this Adobe TechNote to fix these vulnerabilities.

Solution Path

Adobe has released a new version of Shockwave Player, version 11.5.7.609. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

For All WatchGuard Users:

Some of WatchGuard's Firebox models allow you to prevent your users from accessing Shockwave content (.SWF and .DCR) via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF and .DCR files using your Firebox's proxy services. That said, many websites rely on Shockwave for interactive content, and blocking it could prevent these sites from working properly.

If you choose to block Shockwave content, follow the links below for video instructions on using your Firebox proxy's content blocking features to block .SWF and .DCR files by their file extensions:

§  Firebox X Edge running 10.x

§  How do I block files with the FTP proxy?

§  How do I block files with the HTTP proxy?

§  How do I block files with the POP3 proxy?

§  How do I block files with the SMTP proxy

§  Firebox X Core and X Peak running Fireware 10.x

§  How do I block files with the FTP proxy?

§  How do I block files with the HTTP proxy?

§  How do I block files with the POP3 proxy?

§  How do I block files with the SMTP proxy?

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

§  Adobe Shockwave Player Security Bulletin

§  Adobe ColdFusion Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP.