In an advisory published today, Adobe said “a critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” (https://krebsonsecurity.com/
Security researchers at Trend Micro claim that the leaked data stolen from Hacking Team, an Italian company that sells surveillance software to government agencies, contains a number of unpatched and unreported Adobe flaws.
While analyzing the leaked data dump, researchers discovered at least three software exploits – two for Adobe Flash Player and one for Microsoft’s Windows kernel.
Out of two, one of the Flash Player vulnerabilities, known as Use-after-free vulnerability with CVE-2015-0349, has already been patched.
However, the Hacking Team described the other Flash Player exploit, which is a zero-day exploit with no CVE number yet, as “the most beautiful Flash bug for the last four years.”
Symantec has also confirmed the existence of the zero-day flaw in Adobe Flash that could allow hackers to remotely execute code on a targeted computer, actually allowing them to take full control of it.
Researchers found a Flash zero-day proof-of-concept (POC) exploit code that, after testing, successfully worked on the most latest, fully patched version of Adobe Flash (version 126.96.36.199) with Internet Explorer.
Successful exploitation of the zero-day Flash vulnerability could cause a system crash, potentially allowing a hacker to take complete control of the affected computer.
Nog geen 16 uur na het uitlekken van de exploit is er voor Linux Mint reeds een patch aangeboden, terwijl er van Adobe zelf nog niks gehoord is voor de Windows gebruikers.