Did you install an Adobe Flash Player update in the past few days? Get ready, you’ll have to do another one.
Adobe said late Friday a critical zero-day vulnerability (CVE-2015-5122) has been identified in Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux which could cause a crash and potentially allow an attacker to take control of the affected system. It will be patched sometime the week of July 12.
Last week’s vulnerability and the new one are linked to data released by attackers who plundered the Italian-based security vendor Hacking Team, which sells solutions to law enforcement and intelligence agencies, according to FireEye. The first, CVE-2015-5119, was quickly adopted by multiple attacking groups and has already been used in widespread attacks.
The new bug, CVE-2015-5122, exploits the Use-After-Free vulnerability in DisplayObject. opaqueBackground that exists in Flash Player versions 9 to 18.104.22.168. Briefly, an authenticated attacker could corrupt a computer’s memory an execute arbitrary code. According to Carnegie-Mellon’s CERT, attackers leveraging this exploit typically would entice a user to visit a Web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document.
[UPDATE: Trend Micro says a third zero day Flash vulnerability, CVE-2015-5123, has been discovered used by Hacking Team.]
Last weekend hackers released a 400GB Torrent file with internal documents, source code and email communications taken from Hacking Team. The database suggested the company’s customers including the FBI the U.S. Drug Enforcement Agency, the Australian federal police, many agencies in Mexico as well as Egypt, Ethiopia, Morocco, Malaysia, Saudi Arabia and the United Arab Emirates.
In March the University of Toronto’s Citizen Lab sent an open letter to Hacking Team alleging a customer had misused or abused the company’s systems and solutions against journalists at the Ethiopian Satellite Television Service (ESAT) in the United States, who it says were again targeted in late 2014. Last summer Citizen Lab, which is part of the Munk School of Global Affairs and examines the use of technology on human rights and global security, attributed a Android malware implant seen in Saudi Arabia to Hacking Team.
The vulnerabilities are another reminder to CISOs that they have to think carefully about their Flash strategy — keep patching or enabling the Player’s click to play option to users have to think every time they want to use the plug-in.