Immediate patching needed for multiple Adobe Flash Player vulnerabilities
This information was sent to U-M IT staff groups on January 27, 2015
This message is intended for U-M IT staff who are responsible for maintaining and running university machines.
Summary
Multiple Adobe Flash Player vulnerabilities are being actively exploited. Patches are available, and we are asking that you apply them immediately. Even if you applied the patch made available last week, you will need to patch again. A new critical patch was released this week.
Problem
Vulnerabilities in Adobe Flash Player could allow remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions. The vulnerabilities are being actively exploited.
Affected Systems
- Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
- Adobe Flash Player 13.0.0.262 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player 11.2.202.438 and earlier versions for Linux
Action Items
Adobe Flash Player 16.0.0.296 has been made available through auto-update and manual download. This version mitigates CVE-2015-0311, which was being used by the Angler Exploit Kit. This version also addresses CVE-2015-0312, which allowed for potential remote code execution.
For the machines you are responsible for:
- Install the updates provided by Adobe immediately after appropriate testing.
- Limit user account privileges to only those required.
For users, recommend the following:
- Do not visit websites or follow links provided by unknown or untrusted sources.
- Do not open email attachments from unknown or untrusted sources.
- Use Google Chrome for web browsing as it may not be vulnerable to the exploits.
Technical Details
These vulnerabilities could give an attacker the ability to run remote code on the system with the same permissions level that the user/browser has. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.
Questions, Concerns, Reports
Please contact [email protected].
Sincerely,
ITS Information and Infrastructure Assurance
References
- Adobe Security Bulletin: Security updates available for Adobe Flash Player (CVE number: CVE-2015-0311, CVE-2015-0312)
- Microsoft Security Advisory 2755801 (Update for Vulnerabilities in Adobe Flash Player in Internet Explorer)
- Adobe pushes critical Flash Player update to fix latest zero-day (PC World)
- Analyzing CVE-2015-0311: Flash Zero Day Vulnerability (TrendLabs)