Adobe has patched a Flash Player zero-day vulnerability – CVE-2015-5119 – identified in the recent Hacking Team leak, but not before it was added into a variety of exploit kits for use in ongoing attacks.
The zero-day is a use-after-free vulnerability in the ActionScript3 ByteArray class that impacts Adobe Flash Player version 9.0 through version 220.127.116.11, a CERT advisory said. If exploited, it can enable a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Adobe on Wednesday released Flash Player security updates for Windows, Macintosh and Linux that address the zero-day vulnerability and dozens of other bugs. In a security bulletin, Adobe said it is aware that an exploit targeting CVE-2015-5119 has been publicly published.
In a Wednesday email correspondence, Jerome Segura, senior security researcher at Malwarebytes Labs, told SCMagazine.com that at least three exploit kits have been observed using the zero-day vulnerability – the Neutrino Exploit Kit, the Angler Exploit Kit, and the Nuclear Exploit Kit.
“Drive-by downloads were done via compromised websites and malvertising attacks [were used] to deliver crypto-ransomware as well as install backdoors,” Segura said. “Threat actors rushed to capitalize on this zero-day that was almost put on a plate for them and required very little changes to be immediately weaponized.”
Segura indicated that CVE-2015-5119 may have gone undetected for so long because several Flash Player bugs have been identified in recent time, and actors could be leaning on other more disposable, yet equally effective vulnerabilities.
“It's interesting to understand how a flaw exists and how the vendor fixes it,” Segura said. “In particular, we have seen quick patches that addressed a narrow aspect of a vulnerability but left other areas potentially still weak. Without a doubt, there will be more Adobe Flash exploits and zero-days in the coming months.”
Other Flash Player bugs addressed by Adobe on Wednesday include a variety of heap buffer overflow, memory corruption, and type confusion vulnerabilities, several of which can lead to code execution.