NOTICE: Update Adobe Flash Player to address new vulnerability

Wednesday, October 26, 2016

This information is intended for U-M IT staff who are responsible for maintaining machines with Adobe Flash Player installed.

Summary

A use-after-free vulnerability has been discovered in Adobe Flash Player that could allow for code execution, potentially allowing an attacker to take control of the affected system. Install the updates provided by Adobe as soon as possible after appropriate testing.

Problem

A use-after-free vulnerability has been discovered in Adobe Flash Player. Successful exploitation of this vulnerability could allow an attacker to take control of the affected system and install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could result in denial-of-service conditions.

Threats

Exploit code for this vulnerability exists in the wild, and there are reports of this vulnerability being exploited against users running Windows 7, 8.1, and 10 in limited, targeted attacks.

Affected Versions

  • Adobe Flash Player Desktop Runtime prior to version 23.0.0.205 (get update from Flash Player Download Center)
  • Adobe Flash Player for Google Chrome prior to version 23.0.0.205. Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 23.0.0.205 for Windows, Macintosh, Linux and Chrome OS.
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 prior to version 23.0.0.205. Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 23.0.0.205.
  • Adobe Flash Player for Linux prior to version 11.2.202.643 (get update from Flash Player Download Center)
     

Action Items

  • Install the updates provided by Adobe as soon as possible after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

We encourage the entire university community to:

  • Remove Adobe Flash from systems where it is not used.
  • Ensure that all current and future Adobe Flash updates are applied quickly and consistently on all systems that need Adobe Flash.
  • Enable automatic updates for Flash when appropriate.
  • Consider configuring all web browsers to enable click-to-play for Flash content when possible.

Information for Users

MiWorkspace machines with Flash installed will be updated as soon as possible. We recommend that you remove Flash from your personally owned computers if you do not use it. If you need it, set it to update automatically.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact [email protected].