NOTICE: Critical vulnerability in Adobe Shockwave Player

A vulnerability has been discovered in Adobe Shockwave Player that could allow an attacker to remotely take control of the affected system. IIA recommends updating to the latest version of Adobe Shockwave Player by visiting Adobe Shockwave Player Download Center.

Successful exploitation of this vulnerability could allow an attacker to gain access to a computer with the same privileges as the logged-in user. Failed exploitation of the vulnerability will likely cause denial-of-service conditions, such as a web browser crash.

Update to the latest version of Adobe Shockwave Player as soon as possible by visiting Adobe Shockwave Player Download Center.

An attacker could exploit this critical memory corruption vulnerability by creating a website that contains specially crafted content. The vulnerability has been assigned CVE-2015-5120 and CVE-2015-5121. Successful exploitation of this vulnerability could allow an attacker to remotely gain access to a computer with the same privileges as the logged-in user. If the attacker gains administrative rights, they could then install programs; view, change, or delete data; or create new accounts with full user rights.

MiWorkspace machines will be patched as soon as possible. If you have Adobe Shockwave Player installed on your own devices that are not managed by the university, please update it as soon as possible by visiting Adobe Shockwave Player Download Center.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Please contact [email protected].

• Adobe Security Bulletin (Adobe, July 14, 2015)