A serious security flaw in the Adobe Flash player has been exposed by the Italian Hacking Team, with researchers urging users to disable Flash on their computers until a security patch is released later in the week.
The two bugs (CVE-2015-5122, CVE-2015-5123) affect 22.214.171.124 and earlier versions of Flash on Windows, Mac, and Linux systems. If a hacker makes use of the security flaw they could take complete control of the computer.
BYPASS THE CENSORS
Sign up to get unfiltered news delivered straight to your inbox.
Adobe have warned users, “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system”.
The Saturday advisory follows a patch it raced out last Wednesday for another Flash Player flaw (CVE-2015-5119) that emerged from the 400GB set of Hacking Team files that were leaked by a hacker last Sunday. Hacking Team sold its computer surveillance program Remote Control System (RCS), or Galileo, to government agencies all over the world, from Australia to Uzbekistan. One of its chief pitches was that the program could help law enforcement overcome encryption by bypassing it with malware that captures communications before encryption.
Given that there isn’t a patch available yet it may be wise to disable Flash Player until one is released.
Criminals who sell toolkits for mass exploitation began integrating the first Flash bug discovered in Hacking Team’s files within hours. Exploit kits are used to build up networks of compromised computers. Security researchers at FireEye and TrendMicro are credited with reporting CVE-2015-5122 and CVE-2015-5123, respectively. The two companies discovered early stage developments of tools that could exploit the flaws, known as proof of concepts (PoC).
But there is, for now, some goods news for end-users of Flash, according to Trend Micro threat analyst Peter Pi.
“It’s still a proof of concept,” he said, referring to the flaw Trend Micro discovered. “We are still looking to see if it is already being used in an attack,” he said.
Nonetheless, Pi recommended disabling Flash until Adobe releases a patch. “Considering that the Hacking team leak is publicly available already, it poses risks to users. As such, we recommend users to disable Adobe Flash Player for the meantime until the patch from Adobe becomes available,” said Pi in a later update.