Accessibility

Security bulletin

Security update available for Shockwave Player

Release date: July 28, 2009

Vulnerability identifier: APSB09-11

CVE number: CVE-2009-0901, CVE-2009-2395, CVE-2009-2493

Platform: Internet Explorer on Windows

Summary

Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.  Adobe has provided a solution for the reported vulnerability.  It is recommended that users update their installations using the instructions provided below.

Affected software versions

Shockwave Player 11.5.0.600 and earlier versions on Windows only.

Solution

Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/.

Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034.  As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.

Details

Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system. This issue is remotely exploitable. Adobe has provided a solution for the reported vulnerability.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issue and for working with Adobe to help protect our customers' security: