NOTICE: Critical vulnerability in Adobe Shockwave Player

Wednesday, July 15, 2015

This information is intended for U-M IT staff who are responsible for maintaining university machines with Adobe Shockwave Player installed.

Summary: 

A vulnerability has been discovered in Adobe Shockwave Player that could allow an attacker to remotely take control of the affected system. IIA recommends updating to the latest version of Adobe Shockwave Player by visiting Adobe Shockwave Player Download Center.

Problem: 

Successful exploitation of this vulnerability could allow an attacker to gain access to a computer with the same privileges as the logged-in user. Failed exploitation of the vulnerability will likely cause denial-of-service conditions, such as a web browser crash.

Affected Systems: 
  • Adobe Shockwave Player 12.1.8.158 and earlier for Windows and Macintosh
Action Items: 

Update to the latest version of Adobe Shockwave Player as soon as possible by visiting Adobe Shockwave Player Download Center.

Technical Details: 

An attacker could exploit this critical memory corruption vulnerability by creating a website that contains specially crafted content. The vulnerability has been assigned CVE-2015-5120 and CVE-2015-5121. Successful exploitation of this vulnerability could allow an attacker to remotely gain access to a computer with the same privileges as the logged-in user. If the attacker gains administrative rights, they could then install programs; view, change, or delete data; or create new accounts with full user rights.

Information for Users: 

MiWorkspace machines will be patched as soon as possible. If you have Adobe Shockwave Player installed on your own devices that are not managed by the university, please update it as soon as possible by visiting Adobe Shockwave Player Download Center.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

References: