-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0017 Title: Adobe Shockwave Player - remote code execution vulnerability[1] Version history: 15.02.2012 Initial publication 15.02.2012 Adjusted CERT-EU reference number Summary ======= Adobe reported vulnerabilities in their Shockwave Players that could allow an attacker to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.3.633 and earlier versions to update to Adobe Shockwave Player 11.6.4.634. CVSS Base Score CVSS v2 Base Score: 6.8 (HIGH) (AV:N/AC:M/Au:N/C:P/I:P/A:P)[2]) Original Details ================ * several memory corruption vulnerabilities in the Shockwave 3D Asset that could lead to code execution: CVE-2012-0757, CVE-2012-0759, CVE-2012-0760, CVE-2012-0761, CVE-2012-0762, CVE-2012-0763, CVE-2012-0764 andCVE-2012-0766 * heap overflow vulnerability that could lead to code execution (CVE-2012-0758). What can you do? ================ Deploy the updated versions of the software[1]. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. Run your applications with non-privileged account. More information ================ [1] Adobe http://www.adobe.com/support/security/bulletins/apsb12-02.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPO7GSOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4P/AhAAlaLfm0Hx oqxPmNToCaSVJ6qGMJfJ867zkITvCz1weCHfr1Z0UswvlCsMk6St+7VFovB7D3ld cAphXOi8sVr4HTzZ0JzJiRDj1WyVDA9CPY8aVhZ8NR1tJgPVmRuh6u0lnvDbd5h/ kKvXXUrZYPGM9sQAnT1cRBAsfdCKCO/RgV5ERexgN8Sq3RNQmAmxY2+j+0d7XOxc QPfu5xSPieAeEh60hXub4dsrmA3HPJu7JAh2X6bJ9molgizrHOzmX95GQ4ZHaLRb fpEYdeNiumcWZ0T6EqGhc5gUg2nhINtWPurE4kZlVjKZAMK5pY6popkO1fGcdHT/ LzJnZqTKSxSPIygPoHNRiMHdckP07R0yMZCL2o4bckA9knsf4ELCoeZlcH0q1aVY 73I071ye7A690EWcXhvZxpgJxFAycQF+OQqtM1JSL8Mew+chXz5uKpr70LFjHvjh BL3eWb6q7acO+SelMzAwWSbA1Bwl8jqBvGid+3wK4GkeUHDuevNj4i/vROD5sqmb 3aNGzxwDUZMIZ2T3+DNp74Nr/03vWc4LFTjnMY2QbKLbI2/h6GanYw+FIYBZqBEU JILg7be+nwy5THX1KX2Sr2xo72HSdtuMWqgspDNSCJ4tMuvwN+6NmQG7UERmUjXA B8unAYgB9H/BoG16znw7Bfb1fg1BvQ+6I9o= =VEGt -----END PGP SIGNATURE-----