Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2009 > 3871 - Security update available for Shockwave Player

July 2009

3871 - Security update available for Shockwave Player

ID: 3871
Date: 30/07/2009
Title: 3871 - Security update available for Shockwave Player
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Other software: Web Browser
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Adobe
Applications affected:Shockplayer
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Adobe
Reliability of source: Trusted
Source URL: http://www.adobe.com/support/security/bulletins/apsb09-11.html
CVE: CVE-2009-0901, CVE-2009-2395, CVE-2009-2493
Abstract: Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability. It is recommended that users update their installations using the instructions provided below.

Release date: July 28, 2009

Vulnerability identifier: APSB09-11

CVE number: CVE-2009-0901, CVE-2009-2395, CVE-2009-2493

Platform: Internet Explorer on Windows

Summary

Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.  Adobe has provided a solution for the reported vulnerability.  It is recommended that users update their installations using the instructions provided below.

Affected software versions

Shockwave Player 11.5.0.600 and earlier versions on Windows only.

Solution

Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/.

Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034.  As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.

Severity rating

Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.

Details

Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system. This issue is remotely exploitable. Adobe has provided a solution for the reported vulnerability.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issue and for working with Adobe to help protect our customers' security:

  • David Dewey of IBM ISS X-Force
  • Ryan Smith of VeriSign iDefense Labs
  • Microsoft Vulnerability Research Program (MSVR)

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

Thu, 30 Jul 2009 10:30:00 GMT
Domain affected: Technical
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |