ADVISORY: New Critical Vulnerabilities in Adobe Flash Player, Acrobat, and Reader

Tuesday, December 9, 2014

This message was sent to U-M IT staff groups on December 9, 2014. It is intended for U-M IT staff who

  • Manage computers that run Adobe Flash Player, Reader, and/or Acrobat.
  • Provide support to users who run these programs.
Summary: 

Multiple critical vulnerabilities in Adobe Flash Player, Adobe Reader, and Adobe Acrobat could allow remote code execution. Updates from Adobe should be installed as soon as possible.

Problem: 

Multiple exploit toolkits are available that can exploit the Adobe Flash vulnerabilities. Exploit toolkits are not yet available for the Adobe Reader and Adobe Acrobat vulnerabilities, but are expected to be available soon.

Affected Versions: 
  • Adobe Flash Player for Windows and Macintosh before version 16.0.0.235
  • Adobe Flash Player Extended Support Release before version 13.0.0.259
  • Adobe Flash Player for Linux before version 11.2.202.425
  • Adobe Reader XI before version 11.0.09
  • Adobe Reader X before version 10.1.12
  • Adobe Acrobat XI before version 11.0.09
  • Adobe Acrobat X before version 10.1.12
Action Items: 

Adobe recommends users update their software. Please prioritize the Adobe Flash Player updates first, because the vulnerabilities are already being actively exploited. Adobe has assigned "Priority level 1" to to all of these updates, except the Adobe Flash Player for Linux. Adobe recommends installation of Priority level 1 updates as soon as possible.

Threats: 

The Adobe Flash Player vulnerabilities are actively being exploited in the wild by multiple exploit kits. Adobe has also assigned "Priority level 1" to the Adobe Reader and Adobe Acrobat vulnerabilities, indicating that they believe there is a "higher risk of being targeted, by exploit(s) in the wild."

Technical Details: 

Adobe Flash Player vulnerabilities:

  • Memory corruption vulnerabilities that could lead to code execution (CVE-2014-0587, CVE-2014-9164).
  • Use-after-free vulnerability that could lead to code execution (CVE-2014-8443).
  • Stack-based buffer overflow vulnerability that could lead to code execution (CVE-2014-9163).
  • Information disclosure vulnerability (CVE-2014-9162).
  • A vulnerability that could be exploited to circumvent the same-origin policy (CVE-2014-0580).

Exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user access.

Adobe Acrobat and Reader vulnerabilities:

  • A use-after-free vulnerabilities that could lead to code execution (CVE-2014-8454, CVE-2014-8455, CVE-2014-9165)
  • A heap-based buffer overflow vulnerabilities that could lead to code execution (CVE-2014-8457, CVE-2014-8460, CVE-2014-9159)
  • An integer overflow vulnerability that could lead to code execution (CVE-2014-8449)
  • A memory corruption vulnerabilities that could lead to code execution (CVE-2014-8445, CVE-2014-8446, CVE-2014-8447, CVE-2014-8456, CVE-2014-8458, CVE-2014-8459, CVE-2014-8461, CVE-2014-9158)
  • A time-of-check time-of-use (TOCTOU) race condition that could be exploited to allow arbitrary write access to the file system (CVE-2014-9150)
  • An improper implementation of a Javascript API that could lead to information disclosure (CVE-2014-8448, CVE-2014-8451)
  • A vulnerability in the handling of XML external entities that could lead to information disclosure (CVE-2014-8452)
  • A vulnerabilities that could be exploited to circumvent the same-origin policy (CVE-2014-8453)

Exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user's computer. Failed exploit attempts will likely cause denial-of-service conditions.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

References: