Cатсн²² (in)sесuяitу / ChrisJohnRiley

Yes I know, it’s a sensationalist headline, but you have to agree, any software component that comes out with 18 CVE numbers at once, is anything but secure.

Adobe have had a bad record when it comes to providing secure software and add-ons. The almost weekly Adobe 0-day exploits in Acrobat (reader) and Flash have now been joined by a list of critical vulnerabilities in Adobe’s Shockwave Player (11.5.6.606 and older). I’ve given a full list of the CVEs patched at the end of this post (see links). Currently these CVEs are reserved and don’t provide a great deal of information. However the Adobe advisory gives some interesting information about the flaws.

• This update resolves a boundary error vulnerability that if exploited, could lead to memory corruption and possible code execution (CVE-2010-0127)
• This update resolves a signedness error vulnerability that could lead to code execution (CVE-2010-0128)
• This update resolves multiple memory corruption vulnerabilities due to integer overflow that could lead to code execution (CVE-2010-0129)
• This update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-0130)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-0986)
• This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-0987)
• This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1280)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1281)
• This update resolves an infinite loop vulnerability that could lead to a denial of service (CVE-2010-1282)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1283)
• This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2010-1284)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1286)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1287)
• This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-1288)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1289)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1290)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1291)
• This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1292)

As you can see there’s a whole lot of “code execution” in this advisory. Adobe have, obviously, suggested an upgrade to the latest version (11.5.7.609) which deals with these issues. That’s one option obviously, the other, is to remove/disable  Shockwave Player. If you’re a home user, this is simple to achieve. Simple uninstall the software. However for enterprise users it’s a little harder to achieve. Below is one method to disable the Shockwave Player within Internet Explorer, and reduce the overall attack surface.

* Disclaimer * Please backup your configuration before performing any registry changes, and test this solution within your environment before using it.

Workaround:

To disable the Shockwave Player within Internet Explorer, you will need to edit the registry to add/alter a key within the “ActiveX Compatibility” subkey.

The exact location is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility

From here check to see if a Class identifier (CLSID) of {166B1BCA-3F9C-11CF-8075-444553540000} is already present. If not, create it and New DWORD called Compatibility Flags. Double click this DWORD and set th value of 0x400 (hex). That’s it, simply restart Internet Explorer and goto http://www.adobe.com/shockwave/welcome/to test.

Shockwave Player - Enabled

Shockwave Player - Disabled

 To make it a little easier, here’s the exported registry (.reg) file that you can directly import into your registry (please backup/test before rolling out).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}]
"Compatibility Flags"=dword:00000400

You can also download a copy of the .reg file from here.

Links:

• Adobe Shockwave Player – Security Bulletin APSB10-12
• Adobe Shockwave Player – Download
• CVE Links (Currently Reserved – No additional Information as yet)
  • CVE-2010-0127
  • CVE-2010-0128
  • CVE-2010-0129
  • CVE-2010-0130
  • CVE-2010-0986
  • CVE-2010-0987
  • CVE-2010-1280
  • CVE-2010-1281
  • CVE-2010-1282
  • CVE-2010-1283
  • CVE-2010-1284
  • CVE-2010-1286
  • CVE-2010-1287
  • CVE-2010-1288
  • CVE-2010-1289
  • CVE-2010-1290
  • CVE-2010-1291
  • CVE-2010-1292