Adobe will release fixes for two more critical Flash Player bugs from Italian firm Hacking Team this week, but security researchers say to disable the software until it's delivered.
Adobe on Saturday flagged the two bugs (CVE-2015-5122, CVE-2015-5123) in a security advisory for the latest version of Flash Player, which affect 22.214.171.124 and earlier versions of the software on Windows, Mac and Linux. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warned, rating the bugs as critical.
Adobe said it expects to push out security updates for the flaws at some stage this week.
The Saturday advisory follows a patch it raced out last Wednesday for another Flash Player flaw (CVE-2015-5119) that emerged from the 400GB set of Hacking Team files that were leaked by a hacker last Sunday. Hacking Team sold its computer surveillance program Remote Control System (RCS), or Galileo, to government agencies all over the world, from Australia to Uzbekistan. One of its chief pitches was that the program could help law enforcement overcome encryption by bypassing it with malware that captures communications before encryption.
Given that there isn’t a patch available yet it may be wise to disable Flash Player until one is released.
Criminals who sell toolkits for mass exploitation began integrating the first Flash bug discovered in Hacking Team’s files within hours. Exploit kits are used to build up networks of compromised computers. Security researchers at FireEye and TrendMicro are credited with reporting CVE-2015-5122 and CVE-2015-5123, respectively. The two companies discovered early stage developments of tools that could exploit the flaws, known as proof of concepts (PoC).
According to FireEye threat researcher Dhanesh Kizhakkinan, the PoC for the flaw it discovered was “well written”, just like the PoC for CVE-2015-5119. Technical details about the vulnerability can be found here.
But there is, for now, some goods news for end-users of Flash, according to Trend Micro threat analyst Peter Pi.
“It’s still a proof of concept,” he said, referring to the flaw Trend Micro discovered. “We are still looking to see if it is already being used in an attack,” he said.
Nonetheless, Pi recommended disabling Flash until Adobe releases a patch. “Considering that the Hacking team leak is publicly available already, it poses risks to users. As such, we recommend users to disable Adobe Flash Player for the meantime until the patch from Adobe becomes available,” said Pi in a later update.