Adobe has issued an important announcement, much of it relating to the impact of vulnerabilities in the Microsoft Active Template Library (ATL) flagged as CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 and described in Microsoft Security Advisory (973882) on Adobe products used as Internet Explorer plug-ins.
It appears that Flash Player and Shockwave Player "leverage" vulnerable versions of ATL.
According to Adobe, the Adobe Reader browser plug-in for Internet Explorer, Connect Pro, Flash Lite for mobile devices, LiveCycle SAP Forms and other products are not subject to the above vulnerabilities. Flash Player within Firefox and other browsers (apart from IE) do not share the vulnerabilities, and nor do Flash Player and Shockwave Player on Macintosh, Linux and Solaris.
The latest version of Shockwave Player, which is now available for download (http://get.adobe.com/shockwave), has been patched. The Flash Player vulnerability will be patched in the update due on July 30, 2009.
Sensibly, Adobe recommend the installation of the MS09-034 security update, which provides mitigation against the vulnerabilities in the relevant versions of ATL.
David Harley
Director of Malware Intelligence
