LINKS
INSTRUCTION
STRINGS
ACCESSORIES
MUSIC
 The Steel Guitar Forum Store 
Our Online Store
b0b's Steel Links

The Steel Guitar Forum

Help Search Join Private Messages Log in


Post new topic ShockWave Player ActiveX Buffer Overflow
Reply to topic
Forum Index > Computers Next oldest topic :: Next newest topic
Author Topic:  ShockWave Player ActiveX Buffer Overflow
Wiz Feinberg


From:
Mid-Michigan, USA
Post  Posted 2 Mar 2006 7:06 am    
Reply with quote
From http://secunia.com/

Macromedia ShockWave Player ActiveX Installer Buffer Overflow

Secunia Advisory: SA19009 Print Advisory
Release Date: 2006-02-24
Last Update: 2006-03-01

Critical:
Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software:
Shockwave Player 10.x
Shockwave Player 8.x
Shockwave Player 9.x

CVE reference: CVE-2005-3525

Description:
Peter Vreugdenhil has reported a vulnerability in Macromedia ShockWave Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the Installer ActiveX control. This can be exploited to cause a stack-based buffer overflow via overly long values passed in two specific parameters to the control.

Successful exploitation allows arbitrary code execution, but requires that the user is e.g. tricked into visiting a malicious web site that prompts the user to install Shockwave Player.

The vulnerability has been reported in versions 10.1.0.11 and prior.

NOTE: The vendor has reported that the vulnerability occurs only during the installation process, and no action needs to be taken by current users.

Solution:
Only install ShockWave Player directly from the vendor's web site.

Take note that Macromedia has just been acquired by Adobe, and says this about the new vulnerability:

"Adobe has fixed the issue in the Shockwave Player ActiveX installer. Since the vulnerability occurs in the installer, no action needs to be taken by current Macromedia Shockwave Player by Adobe customers. Customers downloading and installing the latest Shockwave Player are also no longer vulnerable with the updated Shockwave Player ActiveX installer."

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.

[This message was edited by Wiz Feinberg on 03 March 2006 at 09:15 AM.]
View user's profile Send private message Send e-mail Visit poster's website
Jeff Agnew

 

From:
Dallas, TX
Post  Posted 3 Mar 2006 8:20 am    
Reply with quote
The link should be to Secunia.
View user's profile Send private message Send e-mail
Wiz Feinberg


From:
Mid-Michigan, USA
Post  Posted 3 Mar 2006 9:16 am    
Reply with quote
Jeff;
Thanks for the heads-up on the bad link I posted. I have fixed it.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here.

View user's profile Send private message Send e-mail Visit poster's website
Forum Index > Computers Next oldest topic :: Next newest topic
  Reply to topic

All times are GMT - 8 Hours
Jump to:  

Our Online Catalog
Strings, CDs, instruction,
steel guitars & accessories
www.SteelGuitarShopper.com
Please review our Forum Rules and Policies

Steel Guitar Forum LLC
PO Box 237
Mount Horeb, WI 53572 USA


Click Here to Send a Donation

Email admin@steelguitarforum.com for technical support.

Powered by phpBB © 2001, 2005 phpBB Group
BIAB Styles
Ray Price Shuffles for
Band-in-a-Box
by Jim Baron
HTTP