Disabling web browser plug-ins could help protect against unauthenticated, remote attacks that execute arbitrary code on targeted systems.
Web browsers with plug-ins that allow interaction with Oracle Java or Adobe Shockwave Player and Reader may be vulnerable. An unauthenticated, remote attacker could exploit unpatched vulnerabilities, or any new vulnerability that may arise.
An unauthenticated, remote attacker could typically exploit a Java vulnerability in web browsers by convincing a user to follow a malicious URL. When the user visits the URL, it could allow the attacker to execute arbitrary code on the targeted system. Multiple vendors, such as Microsoft, Google, Apple, and Mozilla, have web browser products with the option to disable Java and the Java plug-in in web browsers. Information on how to disable Java in web browsers is available at the following links:
To exploit a vulnerability in Adobe Shockwave Player or Reader, an attacker could also use the same or similar tactics such as convincing a user to view a malicious .swf or pdf file. If the user views the malicious file, an attacker could execute arbitrary code on the targeted system. Information on how to disable Shockwave and PDF plug-ins in web browsers is available at the following links:
The security vulnerability applies to the following combinations of products.
Security Activity Bulletin
Original Release Base
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.