Apply critical security update for Adobe Flash Player
This information was sent to IT staff groups July 8, 2015.
This message is intended for U-M IT staff who are responsible for maintaining university machines that have Adobe Flash Player installed.
Summary
Adobe has released a new set of security updates for Adobe Flash Player. These updates address a critical vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system. IIA recommends that you update to the latest versions as soon as possible after appropriate testing.
Affected Versions
- Adobe Flash Player 18.0.0.194 and earlier versions for Windows and Macintosh.
- Adobe Flash Player Extended Support Release version 13.0.0.296 and earlier 13.x versions for Windows and Macintosh.
- Adobe Flash Player 11.2.202.468 and earlier 11.x versions for Linux.
Action Items
Update Adobe Flash Player to the latest version by visiting Adobe Flash Player Download Center.
- Windows and Mac: Update to Adobe Flash Player 18.0.0.203.
- Linux: Update to Adobe Flash Player 11.2.202.481.
- Google Chrome: Will automatically update to Adobe Flash Player version 18.0.0.204.
- Internet Explorer on Windows 8.x: Adobe Flash Player will automatically update to version 18.0.0.203.
- Extended Support Release: Update to Adobe Flash Player version 13.0.0.302 by visiting Archived Flash Player Versions.
Technical Details
This is a use-after-free vulnerability (CVE-2015-5119) that could cause a crash and potentially allow an attacker to take control of an affected system if exploited. Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly.
Information for Users
MiWorkspace machines will be patched as soon as possible. If you have Adobe Flash Player installed on your own devices that are not managed by the university, please update it by visiting the Adobe Flash Player Download Center.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.
Questions, Concerns, Reports
Please contact [email protected].
References
- Adobe Security Bulletin (CVE-2015-5119) ( Adobe, 7/7/15)
- Adobe confirms Flash vulnerability found via Hacking Team leak, promises patch tomorrow (Venture Beat, 7/7/15)
- Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak (TrendMicro, 7/7/15)
- PSA: Flash Zero-Day Now Active in The Wild (Malwarebytes, 7/7/15)