Two more Flash 0-day exploits found in Hacking Team leak, one already exploited in the wild

Exploits for two more Adobe Flash 0-days have been found in the leaked Hacking Team data. The existence of the vulnerabilities has been acknowledged by Adobe with a security advisory.

They affect all versions of Adobe Flash Player for Windows, OS X and Linux, and can be exploited to take control of vulnerable systems.

CVE-2015-5122 was reported by FireEye researcher Dhanesh Kizhakkinan. He says the exploit for the flaw is well written and uses constructs for exploiting the Use-After-Free vulnerability in DisplayObject similar to those used in the PoC for CVE-2015-5119 by the same author.

CVE-2015-5123 was reported by Trend Micro threat analyst Peter Pi and a security researcher that goes by slipstream/RoL.

It took less than a day for the exploit for the previous Flash Player vulnerability (CVE-2015-5119) to be incorporated in popular exploit kits, and the same thing happened this time: according to researcher Kafeine, the exploit for CVE-2015-5122 has been added to the Angler EK.

It’s also interesting to note that the patched CVE-2015-5119 Flash zero-day has also been briefly exploited by attackers in a malvertising attack.

Adobe is aiming to release a security update for Flash Player that will fix both these flaws this week (the week of July 13).

In the meantime, users and businesses would do well to remove Flash from their browsers – either temporarily or for good. Those who still want to use it could enable the “click-to-play” option. Adobe also provides instructions on how to uninstall Flash on Windows and OS X.