It is deja-vu all over again. A second Flash zero-day vulnerability has emerged from the Hacking Team hack and criminals are already exploiting it:
Two more serious security holes in Adobe Flash that let miscreants hijack vulnerable computers have emerged from the leaked Hacking Team files – and crooks are apparently already exploiting at least one of them to infect machines.
The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code on victims’ computers and install malware. The bugs are present in the Windows, Linux and OS X builds of the plugin.
The 5119, 5122 and 5123 vulnerabilities were documented in stolen copies of files leaked online from spyware maker Hacking Team. The Italian biz’s surveillance-ware exploits the vulnerabilities to infect computers, and these monitoring tools are sold to countries including Saudi Arabia, Sudan, Russia and the US.
Everyone with Flash installed should remove or disable the software until the critical security bugs are patched, or at least enable “click to play” in their browsers so that you know exactly what you’re running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.
Flash needs to die. Since YouTube is HTML5 capable, I am seriously considering just getting rid of this craptastic, vulnerability-ridden software once and for all. Like Java, Flash should be outlawed.