New Critical Vulnerabilities in Adobe Flash Player, Acrobat, and Reader / safecomputing.umich.edu

Tuesday, December 9, 2014

This message was sent to U-M IT staff groups on December 9, 2014. It is intended for U-M IT staff who

Manage computers that run Adobe Flash Player, Reader, and/or Acrobat.
Provide support to users who run these programs.

Summary

Multiple critical vulnerabilities in Adobe Flash Player, Adobe Reader, and Adobe Acrobat could allow remote code execution. Updates from Adobe should be installed as soon as possible.

Problem

Multiple exploit toolkits are available that can exploit the Adobe Flash vulnerabilities. Exploit toolkits are not yet available for the Adobe Reader and Adobe Acrobat vulnerabilities, but are expected to be available soon.

Threats

The Adobe Flash Player vulnerabilities are actively being exploited in the wild by multiple exploit kits. Adobe has also assigned "Priority level 1" to the Adobe Reader and Adobe Acrobat vulnerabilities, indicating that they believe there is a "higher risk of being targeted, by exploit(s) in the wild."

Affected Versions

Adobe Flash Player for Windows and Macintosh before version 16.0.0.235
Adobe Flash Player Extended Support Release before version 13.0.0.259
Adobe Flash Player for Linux before version 11.2.202.425
Adobe Reader XI before version 11.0.09
Adobe Reader X before version 10.1.12
Adobe Acrobat XI before version 11.0.09
Adobe Acrobat X before version 10.1.12

Action Items

Adobe recommends users update their software. Please prioritize the Adobe Flash Player updates first, because the vulnerabilities are already being actively exploited. Adobe has assigned "Priority level 1" to to all of these updates, except the Adobe Flash Player for Linux. Adobe recommends installation of Priority level 1 updates as soon as possible.

Adobe Flash Player Desktop Runtime for Windows and Macintosh. Update to Adobe Flash Player 16.0.0.235 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/), or by using the update mechanism within the product when prompted.
Adobe Flash Player Extended Support Release. Update to version 13.0.0.259 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
Adobe Flash Player for Linux. Update to Adobe Flash Player 11.2.202.425 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/).
Adobe Flash Player installed with Google Chrome. Will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 16.0.0.235.
Adobe Flash Player installed with Internet Explorer for Windows 8.x. Will be automatically updated to the latest version, which will include Adobe Flash Player 16.0.0.235.
Adobe Reader XI and X. Update to the latest version:
- Windows: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
- Macintosh: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Adobe Acrobat XI and X. Update to the latest version:
- Windows: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
- Macintosh: MiWorkspace computers will receive these updates automatically as soon as possible through MiWorkspace update procedures.

Technical Details

Adobe Flash Player vulnerabilities:

Memory corruption vulnerabilities that could lead to code execution (CVE-2014-0587, CVE-2014-9164).
Use-after-free vulnerability that could lead to code execution (CVE-2014-8443).
Stack-based buffer overflow vulnerability that could lead to code execution (CVE-2014-9163).
Information disclosure vulnerability (CVE-2014-9162).
A vulnerability that could be exploited to circumvent the same-origin policy (CVE-2014-0580).

Exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user access.

Adobe Acrobat and Reader vulnerabilities:

A use-after-free vulnerabilities that could lead to code execution (CVE-2014-8454, CVE-2014-8455, CVE-2014-9165)
A heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-8457, CVE-2014-8460, CVE-2014-9159)
An integer overflow vulnerability that could lead to code execution (CVE-2014-8449)
A memory corruption vulnerabilities that could lead to code execution (CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, CVE-2014-9158)
A time-of-check time-of-use (TOCTOU) race condition that could be exploited to allow arbitrary write access to the file system (CVE-2014-9150)
An improper implementation of a Javascript API that could lead to information disclosure (CVE-2014-8448, CVE-2014-8451)
A vulnerability in the handling of XML external entities that could lead to information disclosure (CVE-2014-8452)
A vulnerabilities that could be exploited to circumvent the same-origin policy (CVE-2014-8453)

Exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.

Questions, Concerns, Reports

Please contact [email protected].

References

Adobe Security Bulletin: Security updates available for Adobe Flash Player
http://helpx.adobe.com/security/products/flash-player/apsb14-27.html
Adobe Security Bulletin: Security Updates available for Adobe Reader and Acrobat
http://helpx.adobe.com/security/products/reader/apsb14-28.html
ZDNet: Adobe fixes Flash zero day, plus bugs in Acrobat, Reader and ColdFusion
http://www.zdnet.com/article/adobe-fixes-flash-zero-day-plus-bugs-in-acrobat-reader-and-coldfusion/

ADVISORY: New Critical Vulnerabilities in Adobe Flash Player, Acrobat, and Reader