Adobe is aware of and working on updates for two new critical Flash Player vulnerabilities, both of which are being reported by security researchers as zero-day bugs that came out of the recent Hacking Team leaks.
According to an Adobe security bulletin posted on Friday and updated throughout the weekend, the vulnerabilities – CVE-2015-5122 and CVE-2015-5123 – exist in Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” the bulletin said. “Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.”
According to a Saturday CERT advisory on CVE-2015-5122, Adobe Flash Player contains a use-after-free vulnerability in the ActionScript3 opaqueBackground property. The bug can be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
A Sunday CERT advisory on CVE-2015-5123 explained that Adobe Flash Player contains a use-after-free vulnerability in the ActionScript 3 BitmapData object. This bug can also be exploited by a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The vulnerabilities impact Adobe Flash Player version 9.0 through version 18.104.22.168, the advisories indicated. Both advisories also stated that the vulnerabilities “can allow attacker-controlled memory corruption,” and go on to add that attacks “typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document.”
FireEye and Trend Micro were among those acknowledged for reporting the vulnerabilities – FireEye published its own findings about CVE-2015-5122 on Friday, and Trend Micro posted additional information about CVE-2015-5123 on Saturday.
Linking to a post by researcher Kafeine, Jerome Segura, senior security researcher at Malwarebytes Labs, told SCMagazine.com in a Monday email correspondence that CVE-2015-5122 is now being actively exploited in the Angler Exploit Kit and Neutrino Exploit Kit. He added that CVE-2015-5123 has not been observed in any exploit kits.
“We have seen a combination of crypto-ransomware and ad fraud malware being distributed via these attacks,” Segura said, “Most notably, we have seen a dramatic increase in the number of infections during this past week, which leads us to believe end users are not mitigating the threat by using anti-exploit tools or disabling the plug-in.”
Last week Adobe released Flash Player security updates to address CVE-2015-5119, another critical use-after-free vulnerability that came out of the Hacking Team leaks. Since it was disclosed, the bug has been incorporated into at least three exploit kits and is being actively exploited by a variety of groups.
UPDATE: Adobe has released security updates that address CVE-2015-5122 and CVE-2015-5123.