TECHNICAL BULLETIN

T-169: Adobe Shockwave Player Unspecified Security Vulnerability

[CVE-2009-1860]

June 24, 2009 15:00 GMT


PROBLEM:	Adobe Shockwave Player contains an unspecified security vulnerability
PLATFORM:	Adobe Shockwave Player 11.5. 596
ABSTRACT:	Adobe Shockwave Player is prone to a vulnerability that allows remote attackers to compromise an affected computer.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-169.shtml
OTHER LINKS:	Security Focus Website http://www.securityfocus.com/bid/35469/info Shockwave Player Website http://www.adobe.com/products/shockwaveplayer/ Shockwave Player Vulnerability Bulletin http://www.adobe.com/support/security/bulletins/apsb09-08.html
CVE:	CVE-2009-1860

IMPACT ASSESSMENT:	The risk is medium. An attacker could execute arbitrary code but there are no known working exploits.

[***** Start CVE-2009-1860 *****]
Discussion:
Adobe Shockwave Player is prone to a vulnerability that allows remote attackers to compromise an affected computer.

Very few technical details are currently available. We will update this BID as more information emerges.

Versions prior to Shockwave Player 11.5.0.600 for Microsoft Windows platforms are vulnerable.

Currently we are not aware of any working exploits.

The vendor has released an advisory and updates.
[***** End CVE-2009-1860 *****]

DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788