VRDA Feed : Provides information for vulnerability impact analysis

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

[ about VRDA Feed | JPCERT/CC ]

Vulnerability Analysis Result (Revision No : 1)

[ Download XML ]

VRDA-100125-001

Adobe Shockwave Player Updates for Multiple Vulnerabilities

http://www.adobe.com/support/security/bulletins/apsb10-03.html

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided below.

About This Analysis Information

Analysis Information Provider:

JPCERT/CC

First Published:

2010-01-25

Source Information Category:

Advisory, Alert

Last Updated:

2010-01-25

Affected Product Tags

cpe:/a:adobe:shockwave_player (Adobe Macromedia Shockwave Player)

Vulnerability Analysis Results

[Information Source Reliability]^[?]

Low^[?]

Medium^[?]

High^[?]

[Impact Level]^[?]

Low^[?]

Low-Medium^[?]

Medium-High^[?]

High^[?]

[Access Required]^[?]

Physical^[?]

Local^[?]

Non-routed^[?]

Routed^[?]

[Authentication]^[?]

Privileged^[?]

Standard^[?]

Limited^[?]

None or Unnecessary^[?]

[User Interaction Required]^[?]

Complex^[?]

Simple^[?]

None^[?]

[Technical Difficulty]^[?]

High^[?]

Medium-High^[?]

Low-Medium^[?]

Low^[?]

[Availability of Remediation]^[?]

Official Patch^[?]

Official Workaround^[?]

Unofficial Patch^[?]

None^[?]

[Incident Activity]^[?]

None^[?]

Exploit or PoC^[?]

Activity Observed^[?]

Alternatives

References

Common Vulnerabilities and Exposures (CVE) CVE-2009-4003

Multiple integer overflows in Adobe Shockwave Player before 11.5.6.606allow remote attackers to execute arbitrary code via (1) anunspecified block type in a Shockwave file, leading to a heap-basedbuffer overflow; and might allow remote attackers to execute arbitrarycode via (2) an unspecified 3D block in a Shockwave file, leading tomemory corruption; or (3) a crafted 3D model in a Shockwave file,leading to heap memory corruption.

Common Vulnerabilities and Exposures (CVE) CVE-2009-4002

Heap-based buffer overflow in Adobe Shockwave Player before 11.5.6.606allows remote attackers to execute arbitrary code via a crafted 3Dmodel in a Shockwave file.