Immediate patching needed for multiple Adobe Flash Player vulnerabilities

This information was sent to U-M IT staff groups on January 27, 2015

This message is intended for U-M IT staff who are responsible for maintaining and running university machines.

Summary

Multiple Adobe Flash Player vulnerabilities are being actively exploited. Patches are available, and we are asking that you apply them immediately. Even if you applied the patch made available last week, you will need to patch again. A new critical patch was released this week.

Problem

Vulnerabilities in Adobe Flash Player could allow remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions. The vulnerabilities are being actively exploited.

Affected Systems

  • Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 13.0.0.262 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Action Items

Adobe Flash Player 16.0.0.296 has been made available through auto-update and manual download. This version mitigates CVE-2015-0311, which was being used by the Angler Exploit Kit. This version also addresses CVE-2015-0312, which allowed for potential remote code execution.

For the machines you are responsible for:

  • Install the updates provided by Adobe immediately after appropriate testing.
  • Limit user account privileges to only those required.

For users, recommend the following:

  • Do not visit websites or follow links provided by unknown or untrusted sources.
  • Do not open email attachments from unknown or untrusted sources.
  • Use Google Chrome for web browsing as it may not be vulnerable to the exploits.

Technical Details

These vulnerabilities could give an attacker the ability to run remote code on the system with the same permissions level that the user/browser has. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.

Questions, Concerns, Reports

Please contact [email protected].

Sincerely, 
ITS Information and Infrastructure Assurance