Flash HOLED AGAIN TWICE below waterline in fresh Hacking Team reveals

Adobe vows to plug serious hijack leaks

55 Reg comments Got Tips?

Updated Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines.

The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code on victims' computers and install malware. The bugs are present in the Windows, Linux and OS X builds of the plugin.

The 5119, 5122 and 5123 vulnerabilities were documented in stolen copies of files leaked online from spyware maker Hacking Team. The Italian biz's surveillance-ware exploits the vulnerabilities to infect computers, and these monitoring tools are sold to countries including Saudi Arabia, Sudan, Russia and the US.

Everyone with Flash installed should remove or disable the software until the critical security bugs are patched, or at least enable "click to play" in their browsers so that you know exactly what you're running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.

Adobe said on Saturday that the newly discovered flaws will be patched sometime next week:

Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.

Adobe would like to thank Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and Peter Pi of TrendMicro for reporting CVE-2015-5123 and for working with Adobe to help protect our customers.

Infosec biz FireEye has a technical writeup of the 5122 bug right here on its website. "FireEye Labs identified a PoC [proof of concept] for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT [Product Security Incident Response Team] to the issue," Kizhakkinan notes in the blog post, published on Friday.

Meanwhile, the Malware Don't Need Coffee blog says the Angler Exploit Kit – a toolkit used by crims to infect netizens with drive-by-downloads – has been updated to exploit CVE-2015-5122.

Separately, Microsoft is working on patching an elevation-of-privilege security flaw present in the Windows operating system, which was also revealed by the Hacking Team files that were leaked online on July 5. ®

Updated to add

When this story was published, just one more vulnerability in Flash – CVE-2015-5122 – had been discovered in the Hacking Team files, and acknowledged by Adobe. Within hours of our article going live, Adobe revealed that another flaw – CVE-2015-5123 – had emerged from the leaked documents, and that it was working on a patch for that cockup, too. Security biz TrendMicro has more detail on the second bug here. Adobe also thanked slipstream/RoL for reporting CVE-2015-5123.

This story has been revised to cover both critical vulnerabilities.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks

Update browser ASAP after Google gurus spot miscreants abusing bug to hijack PCs

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Disabled by default: Microsoft ups the ante in its war against VBScript on Internet Explorer

Will the last IE 11 user please turn out the lights?

Edge, Internet Explorer users Czech their settings after MSN 'forgot' their language

Surfers faced with challenging feeds on a new tab

Biting the hand that feeds IT © 1998–2020