PROBLEM:
Adobe Shockwave player installs Xtras without prompting
PLATFORM:
Adobe Shockwave Player
ABSTRACT:
A vulnerability was reported in Adobe Shockwave.
REFERENCE LINKS:
Vulnerability Note VU#519137
SecurityTracker Alert ID: 1027903
Bugtraq ID: 56972
CVE-2012-6271
IMPACT ASSESSMENT:
Medium
DISCUSSION:
Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra.
IMPACT:
By convincing a user to view a specially crafted Shockwave content, an attacker may be able to execute arbitrary code with the privileges of the user.
SOLUTION:
No solution was available at the time of this entry.
The vendor plans to issue a fix in February 2013.