Flash HOLED AGAIN TWICE below waterline in fresh Hacking Team reveals

Adobe vows to plug serious hijack leaks


Updated Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines.

The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code on victims' computers and install malware. The bugs are present in the Windows, Linux and OS X builds of the plugin.

The 5119, 5122 and 5123 vulnerabilities were documented in stolen copies of files leaked online from spyware maker Hacking Team. The Italian biz's surveillance-ware exploits the vulnerabilities to infect computers, and these monitoring tools are sold to countries including Saudi Arabia, Sudan, Russia and the US.

Everyone with Flash installed should remove or disable the software until the critical security bugs are patched, or at least enable "click to play" in their browsers so that you know exactly what you're running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.

Adobe said on Saturday that the newly discovered flaws will be patched sometime next week:

Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.

Adobe would like to thank Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and Peter Pi of TrendMicro for reporting CVE-2015-5123 and for working with Adobe to help protect our customers.

Infosec biz FireEye has a technical writeup of the 5122 bug right here on its website. "FireEye Labs identified a PoC [proof of concept] for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT [Product Security Incident Response Team] to the issue," Kizhakkinan notes in the blog post, published on Friday.

Meanwhile, the Malware Don't Need Coffee blog says the Angler Exploit Kit – a toolkit used by crims to infect netizens with drive-by-downloads – has been updated to exploit CVE-2015-5122.

Separately, Microsoft is working on patching an elevation-of-privilege security flaw present in the Windows operating system, which was also revealed by the Hacking Team files that were leaked online on July 5. ®

Updated to add

When this story was published, just one more vulnerability in Flash – CVE-2015-5122 – had been discovered in the Hacking Team files, and acknowledged by Adobe. Within hours of our article going live, Adobe revealed that another flaw – CVE-2015-5123 – had emerged from the leaked documents, and that it was working on a patch for that cockup, too. Security biz TrendMicro has more detail on the second bug here. Adobe also thanked slipstream/RoL for reporting CVE-2015-5123.

This story has been revised to cover both critical vulnerabilities.


Keep Reading

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Twitter says spear-phishing attack hooked its staff and led to celebrity account hijack

Attack came in waves that probed for staff with access to the creds crims craved

Internet Archive to preserve Flash content for posterity with Ruffle emulator

WebAssembly-powered sandbox promised to be safer than the notorious plugin

Your anti-phishing test emails may be too easy to spot. NIST has a training tool for that

Phish Scale hopes to make life easier for blue teams gazing at click rates

Was that November's Patch Tuesday? Already? Oh, no, it's just Adobe issuing 14 emergency security fixes

Critical Acrobat, Reader flaws evidently couldn't wait until next week

Biting the hand that feeds IT © 1998–2020