SECOND Flash zero-day emerges from Hacking Team leak – and crims are already exploiting it

[Batu69]

Adobe promises to patch serious PC hijack bug ASAP

A second serious security hole in Adobe Flash that lets miscreants hijack vulnerable computers has emerged from the leaked Hacking Team files – and crooks are apparently already exploiting it to infect machines.

The use-after-free() programming flaw, for which no patch exists and is identified as CVE-2015-5122, is similar to the CVE-2015-5119 Flash bug patched last week. The 5122 bug lets malicious Flash files execute code on victims' computers and install malware. The bug is present in the Windows, Linux and OS X builds of the plugin.

Both the 5119 and 5122 vulnerabilities were documented in stolen files leaked online from spyware maker Hacking Team. The Italian biz's surveillance-ware exploits the vulnerabilities to infect computers, and these monitoring tools are sold to countries including Saudi Arabia, Sudan, Russia and the US.

Everyone with Flash installed should remove or disable the software until the critical security bug is patched, or at least enable "click to play" in their browsers so that you know exactly what you're running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.

Adobe said the newly discovered flaw will be patched sometime next week:

A critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available during the week of July 12, 2015.

Adobe would like to thank Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and for working with Adobe to help protect our customers.

Infosec biz FireEye has a technical writeup of the bug right here on its website. "FireEye Labs identified a PoC [proof of concept] for another Adobe Flash zero-day vulnerability buried within the leaked data, and alerted Adobe PSIRT [Product Security Incident Response Team] to the issue," Kizhakkinan notes in the blog post, published on Friday.

Meanwhile, the Malware Don't Need Coffee blog says the Angler Exploit Kit – a toolkit used by crims to infect netizens with drive-by-downloads – has been updated to exploit CVE-2015-5122.

Separately, Microsoft is working on patching an elevation-of-privilege security flaw present in the Windows operating system, which was also revealed by the Hacking Team files that were leaked online on July 5.

Source

[212eta]

Adobe Flash: always full of critical vulnerabilities ... :angry:

[coromonadalix]

yeah DIE flash, lots of troubles ...

[Airstream_Bill]

Facebook Security Chief wants to see Adobe Flash to Die Off.

http://www.hotforsecurity.com/blog/facebooks-security-chief-calls-for-adobe-flash-to-be-killed-off-12264.html?utm_source=SMGlobal&utm_medium=SMGlobal&utm_campaign=H4S

[CODYQX4]

Remember, you can't be attacked with this if you don't have the disease that is Flash on your PC/Mac.

I don't install it, and I disable it in Chrome. Only when I need it, do I enable it for Chrome.

I only seem to encounter a need for it for video. No site that depends 100% on Flash is worth my time.

Same thing applies to Java. I disable it in the browser, and use apps that have their own special bundle if I must.

[SPECTRUM]

Adobe Flash: always full of critical vulnerabilities ... :angry:

next vulnerabilities will be in HTML5 xD

[sternog]

Should be patched by now: //www.nsaneforums.com/topic/248489-adobe-flash-player-1800209/