Updated Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines.
The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code on victims' computers and install malware. The bugs are present in the Windows, Linux and OS X builds of the plugin.
The 5119, 5122 and 5123 vulnerabilities were documented in stolen copies of files leaked online from spyware maker Hacking Team. The Italian biz's surveillance-ware exploits the vulnerabilities to infect computers, and these monitoring tools are sold to countries including Saudi Arabia, Sudan, Russia and the US.
Everyone with Flash installed should remove or disable the software until the critical security bugs are patched, or at least enable "click to play" in their browsers so that you know exactly what you're running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.
Adobe said on Saturday that the newly discovered flaws will be patched sometime next week:
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.
Adobe would like to thank Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and Peter Pi of TrendMicro for reporting CVE-2015-5123 and for working with Adobe to help protect our customers.
Infosec biz FireEye has a technical writeup of the 5122 bug right here on its website. "FireEye Labs identified a PoC [proof of concept] for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT [Product Security Incident Response Team] to the issue," Kizhakkinan notes in the blog post, published on Friday.
Meanwhile, the Malware Don't Need Coffee blog says the Angler Exploit Kit – a toolkit used by crims to infect netizens with drive-by-downloads – has been updated to exploit CVE-2015-5122.
Separately, Microsoft is working on patching an elevation-of-privilege security flaw present in the Windows operating system, which was also revealed by the Hacking Team files that were leaked online on July 5. ®
Updated to add
When this story was published, just one more vulnerability in Flash – CVE-2015-5122 – had been discovered in the Hacking Team files, and acknowledged by Adobe. Within hours of our article going live, Adobe revealed that another flaw – CVE-2015-5123 – had emerged from the leaked documents, and that it was working on a patch for that cockup, too. Security biz TrendMicro has more detail on the second bug here. Adobe also thanked slipstream/RoL for reporting CVE-2015-5123.
This story has been revised to cover both critical vulnerabilities.