About Pepperdine Device Management

The latest developments in device management at Pepperdine, along with relevant informational links and our patch log.

Thursday, October 23, 2014

Device Management Accelerated Release of Flash Update


The Information Security Office working with the Device Management Core Team 
will be accelerating the patching of University-owned systems running vulnerable
versions of Flash; however, students especially are encouraged to check their computer as soon as 
possible using browsercheck.pepperdine.edu and update Flash (or disable Flash if not
needed).

Our normal patch operation in Device Management is designed to test automated
patches and apply them within two weeks of their release. The current program
for this release of Flash we expect to shorten to one week, because this vulnerability
is being so widely and actively exploited. Again, Device Mangement only updates University owned machines,
so personal and student systems should be updated with browsercheck.

BACKGROUND

There is a vulnerability in Adobe Flash that is being exploited in large
scale attacks. The vulnerability is being tracked as CVE-2014-0569 [1]
on the Common Vulnerabilities and Exposures (CVE) database. The exploit
includes memory corruption vulnerabilities and an integer overflow
vulnerability that could lead to code execution. Adobe released security
updates for all versions of Flash on October 14, 2014.

IMPACT

These vulnerabilities could allow an attacker to take control of an
affected system. This vulnerability may be exploited during a drive-by
download attack. This can happen by visiting a malicious website or
viewing and email message or clicking on a deceptive pop-up window.
Check your version of Flash here.

PLATFORMS AFFECTED

  * Adobe Flash Player 15.0.0.167 and earlier versions
  * Adobe Flash Player 13.0.0.244 and earlier 13.x versions
  * Adobe Flash Player 11.2.202.406 and earlier versions for Linux
  * Adobe AIR desktop runtime 15.0.0.249 and earlier versions
  * Adobe AIR SDK 15.0.0.249 and earlier versions
  * Adobe AIR SDK & Compiler 15.0.0.249 and earlier versions
  * Adobe AIR 15.0.0.252 and earlier versions for Android

RECOMMENDATIONS

Users should update to the latest version of Adobe Flash.

 * Adobe recommends users of the Adobe Flash Player desktop runtime for
Windows and Macintosh update to Adobe Flash Player 15.0.0.189 by
visiting the Adobe Flash Player Download Center, or via the update
mechanism within the product when prompted.

 * Adobe recommends users of the Adobe Flash Player Extended Support
Release should update to version 13.0.0.250.

 * Adobe recommends users of Adobe Flash Player for Linux update to
Adobe Flash Player 11.2.202.411 by visiting the Adobe Flash Player
Download Center.

 * Adobe Flash Player installed with Google Chrome will be automatically
updated to the latest Google Chrome version, which will include Adobe
Flash Player 15.0.0.189.

 * Adobe Flash Player installed with Internet Explorer for Windows 8.x
will be automatically updated to the latest version, which will include
Adobe Flash Player 15.0.0.189.

 * Adobe recommends users of the Adobe AIR desktop runtime should update
to version 15.0.0.293 by visiting the Adobe AIR Download Center.

 * Adobe recommends users of the Adobe AIR SDK should update to version
15.0.0.302 by visiting the Adobe AIR Download Center.

 * Adobe recommends users of the Adobe AIR SDK & Compiler should update
to version 15.0.0.302 by visiting the Adobe AIR Download Center.

 * Adobe recommends users of the Adobe AIR for Android should update to
Adobe AIR 15.0.0.293 by downloading the new version from the Google Play
store.

REFERENCES

>   [1] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0558

FURTHER READING

>   http://helpx.adobe.com/security/products/flash-player/apsb14-22.html
>   http://www.pcworld.com/article/2836732/one-week-after-patch-flash-vulnerability-already-exploited-in-largescale-attacks.html