Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » A critical Adobe flaw fixed

A critical Adobe flaw fixed

by Ivana Strahija on February 26th, 2006 Adobe Systems has fixed a critical flaw in Macromedia Shockwave Installer, which had the capacity to expose millions of PCs to code execution attacks.


Shockwave Player 10.1.0.11 and earlier versions are affected, but according to Adobe's advisory, the vulnerability occurs only during the installation process, and current users do not need to take action. Also, people installing the latest version of SP are no longer in danger.

The flaw was first reported by Tipping Point's Zero Day Initiative. It's caused by a boundary error in the Shockwave Installer ActiveX control, so that a malicious attacker could set a stack-based buffer overflow through overly long values passed in two specific parameters to the control.

This can happen only if users try to install Shockwave Player from a spoofed website, Secunia warned, advising users to download and install SP ony from Adobe's original website.

Zero Day Initiative said that the user is not required to have fully completed an installation of Shockwave to be vulnerable. -This specific flaw exists within the ActiveX control with CLSID 166B1BCA-3F9C-11CF-8075-444553540000. Specifying large values for two specific parameters to this control results in an exploitable stack based buffer overflow, company officials added.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »