We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 /
Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A
Security Advisory for Flash Player and a
Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.
PSIRT has determined that the Adobe Reader browser plug-in for Internet Explorer, Connect Pro, Flash Lite for mobile devices, LiveCycle SAP Forms and other products are NOT vulnerable to CVE-2009-0901, CVE-2009-2395, or CVE-2009-2493.
Note that only Internet Explorer plug-ins are vulnerable. Thus,
people using Flash Player within the Firefox browser -- as well as all other Windows-based browsers (that aren't Internet Explorer) -- are not vulnerable. Additionally, Flash Player and Shockwave Player on Macintosh, Linux and Solaris operating systems are not vulnerable.
Per the Shockwave Player
Security Bulletin, this vulnerability has been patched in the latest version of Shockwave Player, which is now available for download (
Adobe - Adobe Shockwave Player). Per the
Security Advisory for Flash Player, this vulnerability will be patched in the scheduled July 30, 2009 update of Flash Player.
Users should consider installing
MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player and Shockwave Player, that have been developed with vulnerable versions of ATL as described in
Microsoft Security Advisory (973882) and
Microsoft Security Bulletin MS09-035.
We will continue to provide updates on this issue via the
Security Advisory section of the Adobe web site, as well as the
Adobe PSIRT blog.
This posting is provided "AS IS" with no warranties and confers no rights.
