This information was sent to U-M IT staff groups on January 27, 2015
This message is intended for U-M IT staff who are responsible for maintaining and running university machines.
Multiple Adobe Flash Player vulnerabilities are being actively exploited. Patches are available, and we are asking that you apply them immediately. Even if you applied the patch made available last week, you will need to patch again. A new critical patch was released this week.
Vulnerabilities in Adobe Flash Player could allow remote code execution. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions. The vulnerabilities are being actively exploited.
- Adobe Flash Player 126.96.36.1997 and earlier versions for Windows and Macintosh
- Adobe Flash Player 188.8.131.522 and earlier 13.x versions for Windows and Macintosh
- Adobe Flash Player 184.108.40.2068 and earlier versions for Linux
Adobe Flash Player 220.127.116.116 has been made available through auto-update and manual download. This version mitigates CVE-2015-0311, which was being used by the Angler Exploit Kit. This version also addresses CVE-2015-0312, which allowed for potential remote code execution.
For the machines you are responsible for:
- Install the updates provided by Adobe immediately after appropriate testing.
- Limit user account privileges to only those required.
For users, recommend the following:
- Do not visit websites or follow links provided by unknown or untrusted sources.
- Do not open email attachments from unknown or untrusted sources.
- Use Google Chrome for web browsing as it may not be vulnerable to the exploits.
These vulnerabilities could give an attacker the ability to run remote code on the system with the same permissions level that the user/browser has. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.
Please contact firstname.lastname@example.org.
ITS Information and Infrastructure Assurance
- Adobe Security Bulletin: Security updates available for Adobe Flash Player (CVE number: CVE-2015-0311, CVE-2015-0312)
- Microsoft Security Advisory 2755801 (Update for Vulnerabilities in Adobe Flash Player in Internet Explorer)
- Adobe pushes critical Flash Player update to fix latest zero-day (PC World)
- Analyzing CVE-2015-0311: Flash Zero Day Vulnerability (TrendLabs)