ADVISORY: Adobe Flash Vulnerability Currently Being Exploited (CVE-2014-8439)
This information was sent to U-M IT staff groups on November 26, 2014.
This message is intended for U-M IT staff who are responsible for maintaining and running university systems that allow users to run Adobe Flash.
There is a critical vulnerability in Adobe Flash that is being actively exploited in the wild.
Multiple exploit toolkits are available that can exploit this Adobe Flash vulnerability. Active attacks are known to be occurring and are expected to increase. Adobe has released updates to address this vulnerability. The updates should be installed as soon as possible.
Any system using the following versions of Adobe Flash:
- Adobe Flash Player 184.108.40.206 and earlier versions
- Adobe Flash Player 220.127.116.11 and earlier 13.x versions
- Adobe Flash Player 18.104.22.1688 and earlier versions for Linux
To verify the version of Adobe Flash Player installed on your system, access the "About Flash Player" page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Adobe recommends users update their software.
- Adobe Flash Player Desktop Runtime for Windows and Macintosh. Update to Adobe Flash Player 22.214.171.124 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/), or by using the update mechanism within the product when prompted.
- Adobe Flash Player Extended Support Release. Update to version 126.96.36.1998 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
- Adobe Flash Player for Linux. Update to Adobe Flash Player 188.8.131.524 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/).
- Adobe Flash Player installed with Google Chrome. Will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 184.108.40.206 on Windows and 220.127.116.11 on Macintosh.
- Adobe Flash Player installed with Internet Explorer for Windows 8.x. Will be automatically updated to the latest version, which will include Adobe Flash Player 18.104.22.168.
MiWorkspace computers will receive these updates automatically as soon as possible through MiWorkspace update procedures.
This vulnerability is actively being exploited in the wild by multiple exploit kits.
Adobe Flash Player is prone to a vulnerability that could allow for remote code execution due to an error in the handling of a de-referenced memory pointer (CVE-2014-8439).
This vulnerability is partially mitigated by a previous Adobe Flash update (APSB14-22), but that update did not address the root cause.
Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user access.
Questions, Concerns, Reports
Please contact firstname.lastname@example.org.
- Adobe Security Bulletin APSB14-26
- National Vulnerability Database: Vulnerability Summary for CVE-2014-8439
- F-Secure: Out-of-Band Flash Player Update for CVE-2014-8439