Trend Micro’s researchers have reported a third zero-day vulnerability (CVE-2015-5123) in Adobe Flash, a result from last week’s Hacking Team attack to the Adobe Security Team.
Similar to the second Adobe Flash vulnerability discussed on Saturday, we have identified proof of concept (PoC) code; however, it has not yet been seen in active attacks or added to exploit kits like the first Adobe zero-day vulnerability, also spawned from the Hacking Team compromise.
Adobe has updated their security advisory with this information and has begun addressing both of these vulnerabilities through updates this coming week.
Until an update is available, users should consider disabling Adobe Flash.
In light of the Java zero-day attack we also discovered and discussed, disabling both Flash and Java is advisable. Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.
As we’ve outlined in our Q1 2015 Threat Report, malvertising has made a comeback recently, especially leveraging zero-day vulnerabilities in Adobe Flash. Flash and Java vulnerabilities are particularly well-suited for malvertising attacks, so we could possibly see these vulnerabilities incorporated into exploit kits that, in turn, are used to attack ad servers.
For additional information, click here.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.