ALERT: Multiple vulnerabilities in Adobe Flash Player could allow remote code execution

Wednesday, April 15, 2015

This information was sent to U-M IT staff via email on April 15, 2015.

This message is intended for U-M IT staff who are responsible for maintaining, running, and supporting university machines with Adobe Flash Player installed.

Summary: 

Multiple vulnerabilities have been discovered in Adobe Flash Player. One of the vulnerabilities is being actively exploited in the wild.

Problem: 

Successful exploitation of these vulnerabilities could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer.

Affected Systems: 
  • Adobe Flash Player 17.0.0.134 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 13.0.0.277 and earlier 13.x versions for Extended Support Release
  • Adobe Flash Player 11.2.202.451 and earlier 11.x versions for Linux
Action Items: 

Update affected versions of Adobe Flash Player to the most recent version as soon as possible.

Threats: 

Adobe has reported that one vulnerability (CVE-2015-3043), a memory corruption vulnerability, is being actively exploited in the wild. Successful exploitation can result in execution of arbitrary code. There are currently no reports of the other vulnerabilities being exploited in the wild, but at least 16 of these vulnerabilities could lead to malicious code execution. In many cases, criminals are able to rapidly produce exploits after the release of patches.

Technical Details: 

Adobe Flash Player is prone to multiple vulnerabilities (memory-corruption, type-confusion, buffer-overflow, use-after-free, and double-free vulnerabilities). These could all lead to remote code execution. Additional memory-leak vulnerabilities could be used to bypass Address Space Layout Randomization (ASLR), and a security-bypass vulnerability could lead to information disclosure.

Successful exploitation of these vulnerabilities could result in the attacker gaining the same rights as the logged-in user. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who log on with administrative user rights.

Information for Users: 

MiWorkspace machines will be patched as soon as possible. If you have Adobe Flash Player installed on your own devices that are not managed by the university, please update by visiting the Adobe Flash Player Download Center.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Don Welch, 
University of Michigan Chief Information Security Officer