ALERT: New Critical Adobe Flash Security Update Released Thursday

Thursday, February 5, 2015

This information was sent to U-M IT staff groups on February 5, 2015

This message is intended for U-M IT staff who are responsible for maintaining and running university machines.

Summary: 

Another critical previously-unpatched Adobe Flash Player vulnerability is being actively exploited. Patches are now available, and we are asking that you apply them immediately. Even if you applied patches earlier, including those made available last week, you will need to patch again. This new critical patch was released on Thursday 2/5/2015.

Problem: 

A new zero-day vulnerability was announced on February 2, 2015 in Adobe Flash Player that could allow remote code execution. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.

Affected Systems: 
  • Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 13.0.0.264 and earlier 13.x versions for Extended Support Release
  • Adobe Flash Player 11.2.202.440 and earlier 11.x versions for Linux
Action Items: 

Update to the newest version of Flash Player as soon as possible, as the vulnerability is actively being exploited.

  • Adobe Flash Player Desktop Runtime for Windows and Macintosh: Update to Adobe Flash Player 16.0.0.305 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/), or by using the update mechanism within the product when prompted.
  • Adobe Flash Player for Linux: Update to Adobe Flash Player 11.2.202.442 by visiting the Adobe Flash Player Download Center (http://get.adobe.com/flashplayer/).
  • Adobe Flash Player Extended Support Release: Update to Adobe Flash Player 13.0.0.269 by visiting http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html.
  • Adobe Flash Player installed with Google Chrome. Will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 16.0.0.305.
  • Adobe Flash Player installed with Internet Explorer for Windows 8.x. Will be automatically updated to the latest version, which will include Adobe Flash Player 16.0.0.305.
Threats: 

This vulnerability could give an attacker the ability to run remote code on the system with the same permissions level that the user/browser has. Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could install and execute malicious code on a user's computer.

Technical Details: 

A use-after-free vulnerability in Adobe Flash Player has been discovered which could allow for remote code execution. The vulnerability is exploitable in all major browsers (Internet Explorer, Firefox, and Chrome). However, the Flash plugin sandbox within Chrome should provide some protection for Chrome users. This vulnerability has been exploited in the wild in malvertising attacks affecting various websites, including the video sharing site dailymotion.com.

Detection: 

Determine what version of Flash Player is installed on your computer by visiting the Flash Player Help page and clicking Check Now. Perform this check for each web browser installed on your computer.

Information for Users: 

MiWorkspace machines will be patched as soon as possible. If you have Adobe Flash installed on your own devices that are not managed by the university, please install Adobe's update. Adobe directs Flash users to its Flash Player Download site for updates: http://get.adobe.com/flashplayer/

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, and do not open email attachments unless you are expecting them and trust the person who sent them. For more information, see Spam, Phishing, and Suspicious Email and Instructions for Securing Your Devices and Data on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Sol Bermann, 
Interim University of Michigan Chief Information Security Officer 
Privacy Officer and IT Policy, Compliance and Enterprise Continuity Strategist