ADVISORY: Adobe Flash Vulnerability Currently Being Exploited (CVE-2014-8439)
Wednesday, November 26, 2014
This information was sent to U-M IT staff groups on November 26, 2014.
This message is intended for U-M IT staff who are responsible for maintaining and running university systems that allow users to run Adobe Flash.
Summary
There is a critical vulnerability in Adobe Flash that is being actively exploited in the wild.
Problem
Multiple exploit toolkits are available that can exploit this Adobe Flash vulnerability. Active attacks are known to be occurring and are expected to increase. Adobe has released updates to address this vulnerability. The updates should be installed as soon as possible.
Threats
This vulnerability is actively being exploited in the wild by multiple exploit kits.
Affected Systems
Any system using the following versions of Adobe Flash:
- Adobe Flash Player 15.0.0.223 and earlier versions
- Adobe Flash Player 13.0.0.252 and earlier 13.x versions
- Adobe Flash Player 11.2.202.418 and earlier versions for Linux
To verify the version of Adobe Flash Player installed on your system, access the "About Flash Player" page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Action Items
Adobe recommends users update their software.
- Adobe Flash Player Desktop Runtime for Windows and Macintosh. Update to Adobe Flash Player 15.0.0.239 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/), or by using the update mechanism within the product when prompted.
- Adobe Flash Player Extended Support Release. Update to version 13.0.0.258 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
- Adobe Flash Player for Linux. Update to Adobe Flash Player 11.2.202.424 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/).
- Adobe Flash Player installed with Google Chrome. Will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 15.0.0.239 on Windows and 15.0.0.242 on Macintosh.
- Adobe Flash Player installed with Internet Explorer for Windows 8.x. Will be automatically updated to the latest version, which will include Adobe Flash Player 15.0.0.239.
MiWorkspace computers will receive these updates automatically as soon as possible through MiWorkspace update procedures.
Technical Details
Adobe Flash Player is prone to a vulnerability that could allow for remote code execution due to an error in the handling of a de-referenced memory pointer (CVE-2014-8439).
This vulnerability is partially mitigated by a previous Adobe Flash update (APSB14-22), but that update did not address the root cause.
Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user access.
Questions, Concerns, Reports
Please contact [email protected].
References
- Adobe Security Bulletin APSB14-26
http://helpx.adobe.com/security/products/flash-player/apsb14-26.html - National Vulnerability Database: Vulnerability Summary for CVE-2014-8439
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8439 - F-Secure: Out-of-Band Flash Player Update for CVE-2014-8439
https://www.f-secure.com/weblog/archives/00002768.html