Security Best Practice: Protect Yourself from Multiple Adobe Shockwave Player and Adobe Director Vulnerabilities (APSB10-12)

Vulnerability
Protection

Check Point Reference:	SBP-2010-19
Date Published:
Severity:
Source:	Adobe Security Bulletin APSB10-12
Industry Reference(s):	CVE-2010-0127 CVE-2010-0128 CVE-2010-0129 CVE-2010-0130 CVE-2010-0986 CVE-2010-0987 CVE-2010-1280 CVE-2010-1281 CVE-2010-1282 CVE-2010-1283 CVE-2010-1284 CVE-2010-1286 CVE-2010-1287 CVE-2010-1288 CVE-2010-1289 CVE-2010-1290 CVE-2010-1291 CVE-2010-1292
Protection Provided by:	Security Gateway R71 R70 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Shockwave Player 11.5.6.606 and earlier versions for Windows and Macintosh
Vulnerability Description Multiple vulnerabilities have been identified in Adobe Shockwave Player. Adobe Shockwave is a multimedia player that allows Adobe Director applications to be published on the Internet and viewed in a web browser by anyone who has the Shockwave plug-in installed. An attacker can exploit these issues via a specially crafted Director file. A remote attacker may exploit these vulnerabilities to create a denial of service condition or to take complete control of an affected system.

Update/Patch Available
Apply Hotfix:
Adobe Security Bulletin APSB10-12

Vulnerability Details
The vulnerabilities are due to memory corruption, integer overflow, buffer overflow, and boundary errors in Adobe Shockwave Player that fails to properly handle Director files. A remote attacker could trigger these flaws by convincing a victim to open a specially crafted Director file. Successful exploitation of this issue may corrupt system memory, allowing execution of malicious code on the affected system.

Protection Overview
This protection detects and blocks the transferring of Adobe Director files over HTTP.

Since the protection offered in this advisory may block access to legitimate files, users are advised to use this protection as a workaround till all systems are patched.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Content Protection.
2. In the right pane, double-click the Adobe Director Files protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Adobe Director file

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the SWF Parser protection group.
3. Click Adobe Director file detected (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Badfiles SWF file Alert/Filter
Description: Adobe Director file detected

Legal Notice for Threat Center Advisories