Adobe Shockwave Player Multiple Code Execution Vulnerabilities

Number: AV09-044
Date: 5 November 2009

Purpose

The purpose of this advisory is to bring attention to code execution vulnerabilities in the Adobe Shockwave Player and to provide updates for these vulnerabilities.

Assessment

According to the vendor, exploiting these vulnerabilities results in arbitrary code execution and denial-of-service (DoS) conditions.

The updates:

• resolve an invalid index vulnerability that could potentially lead to code execution
• resolve invalid pointer vulnerabilities that could potentially lead to code execution
• resolve an invalid string length vulnerability that could potentially lead to code execution
• resolve a boundary condition issue that could lead to a DoS issue

CVE: 2009-3463, 2009-3464, 2009-3465, 2009-3466, 2009-3244

Suggested action

CCIRC recommends that administrators test and deploy these updates according to their Release Management practices, as appropriate, at the earliest opportunity.

References:
http://www.adobe.com/support/security/bulletins/apsb09-16.html

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca