Adobe Security Bulletin
Security update available for Adobe Shockwave Player | APSB19-20
Bulletin ID Date Published Priority
APSB19-20 April 09, 2019 2

Summary

Adobe has released a security update for Adobe Shockwave Player for Windows.  This update resolves multiple critical memory corruption vulnerabilities that could lead to arbitrary code execution in the context of the current user. 

Affected product version

Product Version Platform
Adobe Shockwave Player 12.3.4.204 and earlier
Windows

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version by following the instructions below:

Product Version Platform Priority rating Availability
Adobe Shockwave Player 12.3.5.205 Windows
2 Shockwave Player Download Center

Note:

  • Beginning with version 12.3.5.205, support for .dir (director movie extension) has been removed from the player.
  • Shockwave will be retired on April 9, 2019. For more information visit Shockwave End of Life HelpX FAQ

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Number
Memory Corruption Arbitrary Code Execution Critical  CVE-2019-7098
Memory Corruption Arbitrary Code Execution Critical  CVE-2019-7099
Memory Corruption Arbitrary Code Execution Critical  CVE-2019-7100
Memory Corruption Arbitrary Code Execution Critical CVE-2019-7101
Memory Corruption Arbitrary Code Execution Critical  CVE-2019-7102
Memory Corruption Arbitrary Code Execution Critical  CVE-2019-7103
Memory Corruption Arbitrary Code Execution Critical  CVE-2019-7104

Acknowledgments

Adobe would like to thank Honggang Ren of Fortinet's FortiGuard Labs for reporting this issue and for working with Adobe to help protect our customers.

Revisions

April 17, 2019: Link updated for Shockwave Player Download location