ADVISORY: New Critical Vulnerabilities in Adobe Flash Player, Acrobat, and Reader
This message was sent to U-M IT staff groups on December 9, 2014. It is intended for U-M IT staff who
- Manage computers that run Adobe Flash Player, Reader, and/or Acrobat.
- Provide support to users who run these programs.
Multiple critical vulnerabilities in Adobe Flash Player, Adobe Reader, and Adobe Acrobat could allow remote code execution. Updates from Adobe should be installed as soon as possible.
Multiple exploit toolkits are available that can exploit the Adobe Flash vulnerabilities. Exploit toolkits are not yet available for the Adobe Reader and Adobe Acrobat vulnerabilities, but are expected to be available soon.
- Adobe Flash Player for Windows and Macintosh before version 22.214.171.124
- Adobe Flash Player Extended Support Release before version 126.96.36.1999
- Adobe Flash Player for Linux before version 188.8.131.525
- Adobe Reader XI before version 11.0.09
- Adobe Reader X before version 10.1.12
- Adobe Acrobat XI before version 11.0.09
- Adobe Acrobat X before version 10.1.12
Adobe recommends users update their software. Please prioritize the Adobe Flash Player updates first, because the vulnerabilities are already being actively exploited. Adobe has assigned "Priority level 1" to to all of these updates, except the Adobe Flash Player for Linux. Adobe recommends installation of Priority level 1 updates as soon as possible.
- Adobe Flash Player Desktop Runtime for Windows and Macintosh. Update to Adobe Flash Player 184.108.40.206 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/), or by using the update mechanism within the product when prompted.
- Adobe Flash Player Extended Support Release. Update to version 220.127.116.119 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
- Adobe Flash Player for Linux. Update to Adobe Flash Player 18.104.22.1685 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/).
- Adobe Flash Player installed with Google Chrome. Will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 22.214.171.124.
- Adobe Flash Player installed with Internet Explorer for Windows 8.x. Will be automatically updated to the latest version, which will include Adobe Flash Player 126.96.36.199.
- Adobe Reader XI and X. Update to the latest version:
- Adobe Acrobat XI and X. Update to the latest version:
The Adobe Flash Player vulnerabilities are actively being exploited in the wild by multiple exploit kits. Adobe has also assigned "Priority level 1" to the Adobe Reader and Adobe Acrobat vulnerabilities, indicating that they believe there is a "higher risk of being targeted, by exploit(s) in the wild."
Adobe Flash Player vulnerabilities:
- Memory corruption vulnerabilities that could lead to code execution (CVE-2014-0587, CVE-2014-9164).
- Use-after-free vulnerability that could lead to code execution (CVE-2014-8443).
- Stack-based buffer overflow vulnerability that could lead to code execution (CVE-2014-9163).
- Information disclosure vulnerability (CVE-2014-9162).
- A vulnerability that could be exploited to circumvent the same-origin policy (CVE-2014-0580).
Exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user access.
Adobe Acrobat and Reader vulnerabilities:
- A use-after-free vulnerabilities that could lead to code execution (CVE-2014-8454, CVE-2014-8455, CVE-2014-9165)
- A heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-8457, CVE-2014-8460, CVE-2014-9159)
- An integer overflow vulnerability that could lead to code execution (CVE-2014-8449)
- A memory corruption vulnerabilities that could lead to code execution (CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, CVE-2014-9158)
- A time-of-check time-of-use (TOCTOU) race condition that could be exploited to allow arbitrary write access to the file system (CVE-2014-9150)
- A vulnerability in the handling of XML external entities that could lead to information disclosure (CVE-2014-8452)
- A vulnerabilities that could be exploited to circumvent the same-origin policy (CVE-2014-8453)
Exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.
Questions, Concerns, Reports
Please contact firstname.lastname@example.org.
- Adobe Security Bulletin: Security updates available for Adobe Flash Player
- Adobe Security Bulletin: Security Updates available for Adobe Reader and Acrobat
- ZDNet: Adobe fixes Flash zero day, plus bugs in Acrobat, Reader and ColdFusion