Security bulletin

Security advisory for Adobe Flash Player

Release date: July 28, 2009

Last Updated: July 30, 2009

Vulnerability identifier: APSA09-04

CVE number: CVE-2009-0901, CVE-2009-2495, CVE-2009-2493

Platform: Internet Explorer on Windows


Adobe Flash Player and, and earlier 9.x and 10.x versions installed on Windows operating systems for use with Internet Explorer leverage a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). This critical vulnerability could allow an attacker who successfully exploits the vulnerability to take control of the affected system.

Note that this vulnerability is exclusive to Internet Explorer on Windows. Installations of Flash Player for Firefox or other web browsers on Windows are not vulnerable.

Adobe has released product updates to Adobe Flash Player to resolve the relevant security issues. For more information, please refer to Security Bulletin APSB09-10.

Users should consider installing MS09-034.  As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035

Users may monitor the latest information about this issue on the Adobe Product Security Incident Response Team blog at the following URL: or by subscribing to the RSS feed here:

Affected software versions

Adobe Flash Player and and earlier 9.x and 10.x versions.

Severity rating

Adobe categorizes this as a critical update.


July 30, 2009 - Advisory updated with link to Security Bulletin that resolves the relevant security issues.
July 28, 2009 - Advisory created.