Yet more Adobe Flash zero-day bugs discovered, exploited in the wild

Skull PC The hack of spyware company Hacking Team has unleashed yet more critical zero-day Adobe Flash vulnerabilities for which no official patches yet exist.

If successfully exploited, the two vulnerabilities could allow criminal hackers to hijack innocent people’s computers in order to steal information, plant further malware or launch attacks.

In an advisory published this weekend, Adobe said it hoped to roll out an emergency security update (yes! another one!) in the coming days.

Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.

According to Adobe, the vulnerable versions of Flash are:

  • Adobe Flash Player and earlier versions for Windows and Macintosh
  • Adobe Flash Player and earlier versions for Linux installed with Google Chrome
  • Adobe Flash Player Extended Support Release version and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version and earlier 11.x versions for Linux

Technical details of one of the vulnerabilities (CVE-2015-5122) are described in a blog post by FireEye security researcher Dhanesh Kizhakkina.

Separately, Trend Micro discovered the other zero-day vulnerability (CVE-2015-5123), and recommended that users disable Adobe Flash until a patch becomes available.

Sign up to our free newsletter.
Security news, advice, and tips.

These, and the earlier vulnerability, were uncovered in the files leaked from spyware firm Hacking Team.

Hacking Team, of course, was hoping to keep knowledge of the vulnerabilities out of the hands of Adobe so that it could continue to sell them to governments and law enforcement agencies around the world.

Unfortunately (for them) Hacking Team got hacked. Not the greatest advert for a company working in one of the shadier corners of the security industry.

Adobe If you are not sure which version of Adobe Flash you are running on your computer, visit this Adobe webpage which will tell you.

The most recent version of Flash is always available from the Flash download page, but be sure not to be tricked into installing other third-party “optional offer” products at the same time (an irritating habit of Flash’s install program).

But I would also recommend going further than this, and enabling Click-to-Play, one of the best ways to protect yourself against criminals exploiting vulnerabilities in Adobe Flash.

Of course, the ultimate step is to see whether you can survive on the web without Flash at all. An idea that is becoming increasingly attractive.

Further reading:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Yet more Adobe Flash zero-day bugs discovered, exploited in the wild”

  1. John

    As an alternative to click-to-play , which will render some pages I frequently need useless from a practical point of view, I have installed a Chrome extension called Flashblock, since it allows to manage white/blacklists as well. Of course there are more Chrome extensions that do the same, this is not to say that this one is the best or the only one (no I’m not affiliated with the coder of this Extension either :-)

    Should the flash-platform of a white-listed site be compromised, of course you're just as screwed as otherwise. Still, when using it wisely, I prefer such a blocker instead of the native click-ro-play option.

    Any views to the contrary: let me know!

    1. Coyote · in reply to John

      There is one improvement to your suggestion (I personally use FF and NoScript even though I dislike Mozilla.. I hate Google and in any case there are some technicalities that are besides the point which is that add-ons are definitely useful); your suggestion is sound, but: use both an add-on to block (in your case flash) and you also use click to play. Yes, it involves one more step but it protects you a bit more (if ever there is a flaw in the add-on or even click to play or whatever else, you have both layers). Even if both layers are working correctly, the more explicit you are, the better (more specifically you use a white list instead of a black list).

      1. John · in reply to Coyote

        Thanks for your suggestion, I will consider (though I might get a tired finger ;o)

        1. Coyote · in reply to John

          Yes, it can be a hassle indeed. But that is an unfortunate part of security; finding that balance 100% of the time for 100% cases is impossible (and it is hard enough to get it right for individual cases). I am personally quite used to NoScript but it definitely isn't for everyone (I'd guess it isn't for most people even). Even I can get annoyed with it but that is being annoyed at sites that use many scripts that refer to other scripts (on other sites.. which might also refer to other sites, which might refer to other sites…). It all comes down to what convenience you're willing to sacrifice.

  2. Bob

    I would urge people to protect themselves with some decent anti-exploit software (e.g. EMET or MBAE) as this mitigates against the underlying techniques used to exploit Flash and other software.

    Of course, PATCH when a new version of Flash/*insert your favourite software here* is released but have the additional protection on your computer should it be needed.

    Here's an article on how Malwarebytes Anti-Exploit protected against the latest Flash vulnerabilities.

    Their free version works just fine, unless you need the additional protection for Microsoft Office:

    @John – I'd urge people not to blindly click links as they can blindly redirect you to a malicious page. The Google Chrome plugin link (for people who don't want to use the shortened URL) is:

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.