NOTICE: Critical security update for Adobe Flash Player

Thursday, May 12, 2016

This information is intended for U-M IT staff who are responsible for university machines with Adobe Flash Player installed.

Summary: 

Critical vulnerabilities have been identified in Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. These vulnerabilities are being actively exploited. Adobe has released security updates to address these vulnerabilities.

Affected Versions: 

Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS is affected. See the Adobe Security Bulletin for a complete list of affected versions.

Action Items: 

Update to the latest version of Adobe Flash Player as soon as possible after appropriate testing.

We encourage the entire university community to:

  • Remove Adobe Flash from systems where it is not used.
  • Ensure that all current and future Adobe Flash updates are applied quickly and consistently on all systems that need Adobe Flash.
  • Enable automatic updates for Flash when appropriate.
  • Consider configuring all web browsers to enable click-to-play for Flash content when possible.
Threats: 

Adobe has reported that it is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Other sources indicate that the vulnerability is being actively exploited in the wild. You can refer to Adobe Security Advisory PSA16-02 for additional details.

Detection: 
  • To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page or right-click on content running in Flash Player and select About Adobe (or Macromedia) Flash Player from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.  
  • To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote.
Information for Users: 

MiWorkspace machines will be patched as soon as possible. If you have Adobe Flash Player installed on your own devices that are not managed by the university, please update it by visiting the Adobe Flash Player Download Center. Mozilla Firefox blocks vulnerable versions of Adobe Flash Player. Chrome will update automatically.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

References: