{"vuid":"VU#402231","idnumber":"402231","name":"Adobe Shockwave Player Director file 'rcsL' chunk parsing vulnerability","keywords":["Adobe","Shockwave Player","Director File","rcsL","Chunk Parsing"],"overview":"Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems contain a critical vulnerability in the handling of \"rcsL\" chunks.","clean_desc":"Adobe Macromedia Shockwave Player is software that plays active web content developed in Macromedia and Adobe Director. Shockwave Player is available as an ActiveX control for Internet Explorer and as a plug-in for other web browsers. A vulnerability has been discovered in Shockwave Player that can be exploited by an attacker to execute arbitrary code on a user's system. An attacker can create a specially crafted Adobe Director file with a specific value in an \"rcsL\" field causing an array-indexing error. More details are available in Adobe Security Bulletin APSA10-04. Note: Exploit code for this vulnerability is publicly available.","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code or cause the Shockwave player to crash.","resolution":"Adobe recommends users of Adobe Shockwave Player 11.5.8.612 and earlier versions upgrade to the newest version 11.5.9.615. APSB10-25 contains more details.","workarounds":"Limit access to Director files Restricting the handling of untrusted Director content may help mitigate this vulnerability. See Securing Your Web Browser for more information. Consider using the NoScript extension to whitelist web sites that can run Shockwave Player in Mozilla browsers such as Firefox. See the NoScript FAQ for more information. Disable the Shockwave Player ActiveX control in Internet Explorer The Shockwave Player ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs: {166B1BCA-3F9C-11CF-8075-444553540000} {233C1507-6A77-46A4-9443-F871F945D258} More information about how to set the kill bit is available in Microsoft Support Document 240797.Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{166B1BCA-3F9C-11CF-8075-444553540000}] \"Compatibility Flags\"=dword:00000400\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{166B1BCA-3F9C-11CF-8075-444553540000}]\n\"Compatibility Flags\"=dword:00000400 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{233C1507-6A77-46A4-9443-F871F945D258}] \"Compatibility Flags\"=dword:00000400\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{233C1507-6A77-46A4-9443-F871F945D258}]\n\"Compatibility Flags\"=dword:00000400","sysaffected":"","thanks":"Thanks to Adobe and Secunia for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://secunia.com/advisories/41932/","http://www.adobe.com/support/security/advisories/apsa10-04.html","http://blogs.adobe.com/psirt/2010/10/security-advisory-for-adobe-shockwave-player-apsa10-04.html","http://www.adobe.com/support/security/bulletins/apsb10-25.html","http://www.exploit-db.com/exploits/15296/","http://www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/"],"cveids":["CVE-2010-3653"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2010-10-22T12:54:37Z","publicdate":"2010-10-21T00:00:00Z","datefirstpublished":"2010-10-22T19:41:44Z","dateupdated":"2010-10-29T12:24:06Z","revision":43,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"15","cam_impact":"13","cam_easeofexploitation":"18","cam_attackeraccessrequired":"18","cam_scorecurrent":"41.461875","cam_scorecurrentwidelyknown":"41.461875","cam_scorecurrentwidelyknownexploited":"65.154375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":41.461875,"vulnote":null}