October 23, 2014
This message is intended for U-M IT staff who are responsible for maintaining and running university systems that allow users to run Adobe Flash.
There is a critical vulnerability in Adobe Flash that is being actively exploited in large-scale attacks.
Commercial exploit toolkits are available that can exploit vulnerable versions of Adobe Flash. Widespread attacks are known to be occurring. Adobe has released updates to address this vulnerability. The updates should be installed as soon as possible.
Adobe Flash Player versions for Windows, Linux, and Macintosh are affected. Adobe AIR is also affected.
- Adobe Flash Player 188.8.131.52 and earlier versions
- Adobe Flash Player 184.108.40.206 and earlier 13.x versions
- Adobe Flash Player 220.127.116.116 and earlier versions for Linux
- Adobe AIR desktop runtime 18.104.22.168 and earlier versions
- Adobe AIR SDK 22.214.171.124 and earlier versions
- Adobe AIR SDK & Compiler 126.96.36.199 and earlier versions
- Adobe AIR 188.8.131.52 and earlier versions for Android
Update to the latest version of Adobe Flash or disable it as soon as possible.
- Automatic updates for Google Chrome will include Adobe Flash Player 184.108.40.206.
- Microsoft’s updates for Internet Explorer for Windows 8.x will include Adobe Flash Player 220.127.116.11.
- Adobe recommends that users of
- Adobe Flash Player desktop runtime for Windows and Macintosh update to Adobe Flash Player 18.104.22.168 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted.
- Adobe Flash Player Extended Support Release update to version 22.214.171.124.
- Adobe Flash Player for Linux update to Adobe Flash Player 126.96.36.1991 by visiting the Adobe Flash Player Download Center.
- Adobe AIR desktop runtime update to version 188.8.131.523 by visiting the Adobe AIR Download Center.
- Adobe AIR SDK update to version 184.108.40.2062 by visiting the Adobe AIR Download Center.
- Adobe AIR SDK & Compiler update to version 220.127.116.112 by visiting the Adobe AIR Download Center.
- Adobe AIR for Android update to Adobe AIR 18.104.22.1683 by downloading the new version from the Google Play store.
At least one exploit kit available in underground markets has incorporated exploitation of this vulnerability. Systems running a vulnerable version of Flash may be compromised easily using these automated tools. This vulnerability is currently known to be actively and widely exploited.
The vulnerability involves an integer overflow that can allow memory corruption, leading to the possible execution of arbitrary code.
Please contact firstname.lastname@example.org.
- Adobe Security Bulletin
- National Vulnerability Database: CVE-2014-0569