=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN259
_____________________________________________________________________

DATE                      : 26/06/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows running Shockwave Player.

======================================================================
http://www.adobe.com/support/security/bulletins/apsb09-08.html
______________________________________________________________________
Security Update available for Shockwave Player

Release date:             June 23, 2009
Vulnerability identifier: APSB09-08
CVE number:               CVE-2009-1860

Platform:

Windows

Summary

A critical vulnerability has been identified in Adobe Shockwave Player
11.5.0.596 and earlier versions. This vulnerability could allow an attacker
who successfully exploits this vulnerability to take control of the affected
system.  Adobe has provided a solution for the reported vulnerability.  It
is recommended that users update their installations using the instructions
provided below.

Affected software versions

Shockwave Player 11.5.0.596 and earlier versions

Solution

Adobe recommends Shockwave Player users on Windows uninstall Shockwave
version 11.5.0.596 and earlier on their systems, restart, and install
Shockwave version 11.5.0.600, available here:
  http://get.adobe.com/shockwave/.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply
the update for their product installations.

Details

A critical vulnerability has been identified in Adobe Shockwave Player
11.5.0.596 and earlier versions. This vulnerability could allow an attacker
who successfully exploits this vulnerability to take control of the affected
system.  Adobe has provided a solution for the reported vulnerability
(CVE-2009-1860). This issue was previously resolved in Shockwave Player
11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards
compatibility mode variation of the issue with Shockwave Player 10 content.
To resolve this issue, Shockwave Player users on Windows should uninstall
Shockwave version 11.5.0.596 and earlier on their systems, restart, and
install Shockwave version 11.5.0.600, available here:
  http://get.adobe.com/shockwave/.
This issue is remotely exploitable.

Acknowledgments

Adobe would like to thank Paul Kurczaba reporting through TippingPoints Zero
Day Initiative (CVE-2009-1860) for reporting this vulnerability and for
working with Adobe to help protect our customers security.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================