You are here

V-053: Adobe Shockwave player installs Xtras without prompting

December 24, 2012 - 12:15am

Addthis

PROBLEM:

Adobe Shockwave player installs Xtras without prompting

PLATFORM:

Adobe Shockwave Player

ABSTRACT:

A vulnerability was reported in Adobe Shockwave.

REFERENCE LINKS:

Vulnerability Note VU#519137
SecurityTracker Alert ID:  1027903
Bugtraq ID:  56972
CVE-2012-6271

IMPACT ASSESSMENT:

Medium

DISCUSSION:

Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra.

IMPACT:

By convincing a user to view a specially crafted Shockwave content, an attacker may be able to execute arbitrary code with the privileges of the user.

SOLUTION:

No solution was available at the time of this entry.

The vendor plans to issue a fix in February 2013.

Addthis