Second zero-day flaw found in Adobe Flash thanks to Hacking Team
Earlier this week an exploit for Adobe Flash was revealed -- a shock, I know. Now a second is in the wild and already being used. Known by the catchy name CVE-2015-5122, security firm FireEye discovered the flaw buried in the Hacking Team leak and alerted Adobe to it.
Adobe has released a security bulletin stating "Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 220.127.116.11 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system".
The company categorizes this flaw as "critical". FireEye points out that "The CVE-2015-5122 PoC is well written like the previous PoC for CVE-2015-5119 by the same author. The PoC also uses similar constructs for exploiting the Use-After-Free vulnerability in DisplayObject opaqueBackground".
Affected versions include 18.104.22.168 for Windows and Mac, 22.214.171.124 for Linux, 13x versions for Windows and Mac and 126.96.36.1991 for Linux.
Adobe is no stranger to these issues with its products, Flash especially. At the moment the bulletin mentions no fix, though one will certainly be coming. The company does acknowledge the issues and those who reported them -- "Adobe would like to thank Dhanesh Kizhakkinan of FireEye for reporting CVE-2015-5122 and Peter Pi of TrendMicro for reporting CVE-2015-5123 and for working with Adobe to help protect our customers".