NOTICE: Apply Adobe security updates

Wednesday, February 13, 2019

This information is intended for U-M IT staff who are responsible for maintaining machines with Adobe Acrobat, ColdFusion, Flash Player, or the Creative Cloud Desktop Application.

Summary

Adobe has released security updates to address vulnerabilities in a variety of Adobe products. Some of the vulnerabilities could allow an attacker to take control of an affected system. In accordance with Adobe’s recommendation, Information Assurance (IA) recommends updating affected software within 30 days, after appropriate testing.

Problem

  • Critical vulnerabilities have been identified in Adobe Acrobat, Reader, and ColdFusion. Successful exploitation could allow for arbitrary code execution.
  • Important vulnerabilities have been identified in Adobe Flash Player and Creative Cloud Desktop Application. Successful exploitation could compromise data security, potentially allowing access to data, or could compromise processing resources in a user's computer.

Threats

As of today (February 13), IA is unaware of reports of any exploitation of these vulnerabilities in the wild. Exploitation of the most serious vulnerabilities in Acrobat, Reader, and ColdFusion could result in an attacker gaining control of the affected system. The most serious vulnerabilities in Flash and Creative Cloud Desktop Application could result in disclosure of information to an attacker.

Affected Versions

Acrobat and Reader:

  • Acrobat DC (Continuous Track) for Windows and macOS version 2019.010.20069 and prior
  • Acrobat Reader DC (Continuous Track) for Windows and macOS version 2019.010.20069 and prior
  • Acrobat 2017 (Classic 2017 Track) for Windows and macOS version 2017.011.30113 and prior
  • Acrobat Reader DC 2017 (Classic 2017 Track) for Windows and macOS version 2017.011.30113 and prior
  • Acrobat DC (Classic 2015 Track) for Windows and macOS version 2015.006.30464 and prior
  • Acrobat Reader DC (Classic 2015 Track) for Windows and macOS version 2015.006.30464 and prior

ColdFusion:

  • ColdFusion 2018 (Update 1 and earlier versions)
  • ColdFusion 2016 (Update 7 and earlier versions)
  • ColdFusion 11 (Update 15 and earlier versions)

Creative Cloud Desktop Application:

  • Creative Cloud Desktop Application (installer) for Windows version 4.7.0.400 and earlier

Flash Player:

  • Flash Player Desktop for Windows, macOS and Linux Runtime version 32.0.0.114 and earlier
  • Flash Player for Google Chrome for Windows, macOS, Linux and Chrome OS version 32.0.0.114 and earlier
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 versions 32.0.0.114 and earlier
  • Adobe Creative Cloud Desktop Application: Creative Cloud Desktop Application (installer) for Windows version 4.7.0.400 and earlier

Action Items

IA recommends updating affected software within 30 days, after appropriate testing. Follow the links in the References below for the available downloads.

Technical Details

Technical details are available for each of the Adobe advisories at Adobe Bulletins and Advisories.

Information for Users

MiWorkspace machines are planned to be updated this week, after appropriate testing.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.