Release date: February 8, 2011
Last Updated: February 22, 2011
Vulnerability identifier: APSB11-01
CVE number: CVE-2010-2587, CVE-2010-2588, CVE-2010-2589, CVE-2010-4092,
CVE-2010-4093, CVE-2010-4187, CVE-2010-4188, CVE-2010-4189, CVE-2010-4190,
CVE-2010-4191, CVE-2010-4192, CVE-2010-4193, CVE-2010-4194, CVE-2010-4195,
CVE-2010-4196, CVE-2010-4306, CVE-2010-4307, CVE-2011-0555, CVE-2011-0556,
CVE-2011-0557, CVE-2011-0569
Platform: Windows and Macintosh
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier
versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an
attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected
system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions
update to Adobe Shockwave Player 11.5.9.620 using the instructions provided below.
Shockwave Player 11.5.9.615 and earlier versions for Windows and Macintosh
Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions upgrade to
the newest version 11.5.9.620, available here: http://get.adobe.com/shockwave/.
Note: Due to limitations in MSI versioning, the MSI version will appear as 11.5.10.620 in Add/Remove Programs and Run-Advertised Programs in the case of SMS installation.
Adobe categorizes this as a critical update and recommends that users apply the latest update for
their product installation by following the instructions in the "Solution" section above.
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.9.615 and earlier
versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an
attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected
system. Adobe recommends users of Adobe Shockwave Player 11.5.9.615 and earlier versions
update to Adobe Shockwave Player 11.5.9.620 using the instructions provided above.
This update resolves a memory corruption vulnerability in the dirapi.dll module that could lead
to code execution (CVE-2010-2587).
This update resolves a memory corruption vulnerability in the dirapi.dll module that could lead
to code execution (CVE-2010-2588).
This update resolves an integer overflow vulnerability in the dirapi.dll module that could lead to
code execution (CVE-2010-2589).
This update resolves a use-after-free vulnerability that could lead to code execution
(CVE-2010-4092).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-4093).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-4187).
This update resolves a memory corruption vulnerability in the dirapi.dll module that could lead
to code execution (CVE-2010-4188).
This update resolves a memory corruption vulnerability in the IML32 module that could lead to
code execution (CVE-2010-4189).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-4190).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-4191).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-4192).
This update resolves an input validation vulnerability that could lead to code execution
(CVE-2010-4193).
This update resolves an input validation vulnerability in the dirapi.dll module that could lead to
code execution (CVE-2010-4194).
This update resolves an input validation vulnerability in the TextXtra module that could lead to
code execution (CVE-2010-4195).
This update resolves an input validation vulnerability in the Shockwave 3d Asset module that could
lead to code execution (CVE-2010-4196).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2010-4306).
This update resolves a buffer overflow vulnerability that could lead to code execution
(CVE-2010-4307).
This update resolves a memory corruption vulnerability that could lead to code execution
(CVE-2011-0555).
This update resolves a memory corruption vulnerability in the Font Xtra.x32 module that could
lead to code execution (CVE-2011-0556).
This update resolves an integer overflow vulnerability that could lead to code execution
(CVE-2011-0557).
This update resolves a memory corruption vulnerability in the Font Xtra.x32 module that could
lead to code execution (CVE-2011-0569).
Adobe would like to thank the following individuals and organizations for reporting the relevant
issues and for working with Adobe to help protect our customers:
February 22, 2011 - Bulletin updated with information on MSI versioning.