ALERT: Critical security update for Adobe Flash Player (Future Adobe Flash & Shockwave notices on web only)
Tuesday, July 14, 2015
This information was sent to U-M IT staff groups on July 14, 2015.
This message is intended for U-M IT staff who are responsible for maintaining machines with Adobe Flash Player installed.
IMPORTANT!
Future Adobe Flash and Shockwave vulnerability notices will be on Safe Computing and not sent in email.
Due to the frequency of security issues related to these Adobe products, IIA will no longer send email alerts regarding what are now routine, although still critical, vulnerabilities. This does not reflect a change in how serious we think these Adobe Flash and Shockwave vulnerabilities are. We will post notices in the Security Alerts box on the Safe Computing homepage and tweet them via @umichTECH. Please check for the notices, take them seriously, and update Adobe Flash whenever a new security update is released. We will only send Adobe Flash alert emails for unusual situations that warrant special attention.
Follow the @umichTECH Twitter account for all IIA alerts, advisories, and notices.
We encourage the entire university community to:
- Remove Adobe Flash from systems where it is not used.
- Ensure that all current and future Adobe Flash updates are applied quickly and consistently on all systems that need Adobe Flash.
- Enable automatic updates for Flash when appropriate.
- Consider configuring all web browsers to enable click-to-play for Flash content when possible.
Summary
Two critical security vulnerabilities have been reported in Adobe Flash Player, and Adobe has released an update. IIA recommends that you update to the latest version available by visiting the Adobe Flash Player Download Center. See the Adobe Security Bulletin for details.
Problem
Exploits targeting these vulnerabilities are publicly available. If these vulnerabilities are successfully exploited, an attacker could crash, and potentially take control of, an affected system.
Affected Versions
See the Adobe Security Bulletin.
Information for Users
MiWorkspace machines will be patched as soon as possible. If you have Adobe Flash Player installed on your own devices that are not managed by the university, please update it by visiting the Adobe Flash Player Download Center. Be aware that Mozilla Firefox is blocking the vulnerable versions of Adobe Flash Player as of July 13, 2015. Chrome will update automatically.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.
Questions, Concerns, Reports
Please contact [email protected].
References
- Adobe Security Bulletin (Adobe, July 10, 2015)
- Enable click-to-play for Flash & Java in Chrome, Firefox & Safari (Mattias Geniar, July 13, 2015)