[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[BGA - SignalSEC Advisory]:Adobe Shockwave Player Remote Code Execution
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [BGA - SignalSEC Advisory]:Adobe Shockwave Player Remote Code Execution
- From: signaladvisory@xxxxxxxxx
- Date: Tue, 14 Jun 2011 23:16:48 GMT
Affected Vendors: Adobe
Affected Products: Shockwave Player
CVE ID: CVE-2011-2122
Risk Level: High
Vulnerability: Memory Corruption
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of the Adobe Shockwave Player. User interaction is
required to trigger this vulnerability in that the target must visit a
malicious page or open a malicious file.
A memory corruption vulnerability in the Dirapi.dll component that could lead
to code execution. By crafting specific values within rcsL substructures an
attacker can corrupt memory.
Disclosure Timeline:
2011-02-14 - Vulnerability reported to vendor
2011-06-14 - Coordinated public release of advisory
Vendor Response:
Adobe has released a patch for this issue. More details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-17.html
Credit:
This vulnerability was discovered by Celil UNUVER from BGA and SignalSEC
About BGA:
BGA InfoSec Academy is a company located in Turkey which provides information
security trainings, penetration testing , malware analysis and software
security audit services.
www.bga.com.tr
---
About SignalSEC:
SignalSEC is a company located in Turkey which provides vulnerability , cyber
threat intelligence and research services.
www.signalsec.com