Yet more Adobe Flash zero-day vulns come to light, thanks to the Hacking Team trove. Email messages lifted from the oh-so-legitimate Italian spyware company reveal another two unpatched bugs. And I bet these ain't the last, amirite?
The vulnerabilities are likely already being exploited, so be careful out there, kids.
In IT Blogwatch, bloggers disable Flash.
Your humble blogwatcher curated these bloggy bits for your entertainment.
Let's all take a ride on Brian Krebs' cycle: [You're fired -Ed.]
For the second time in a week, Adobe Systems Inc. says it plans fix a zero-day vulnerability in its Flash Player [this week]. Adobe said the flaw is present in the latest version of Flash for Windows, Mac and Linux.
…
There is every reason to believe this exploit will soon be folded into exploit kits, crimeware used to foist drive-by downloads. ... On Wednesday, Adobe patched a different vulnerability in Flash...but not before code designed to attack the flaw was folded into the Angler and Nuclear exploit kits.. MORE
Chris Williams clarifies that it's actually two new vulns:
[The] programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. [They] let malicious Flash files execute code on victims' computers and install malware.
…
[All three] vulnerabilities were documented in stolen copies of files leaked online from spyware maker Hacking Team. ... Everyone with Flash installed should remove or disable the software...or at least enable "click to play". MORE
And Phil Muncaster credits where credit's due:
CVE-2015-5122 was discovered by FireEye threat researcher, Dhanesh Kizhakkinan, who [said] it’s a use-after-free flaw. [And] CVE-2015-5123...was discovered by Trend Micro threat analyst, Peter Pi, who [said] it’s a ValueOf bug.
…
The discovery has once again ignited debate around whether the trade in software vulnerabilities between so-called ‘reputable’ companies and governments is ethically any different from that which takes place on the cyber-criminal underground. MORE
So Cyrus Farivar uncovers the market in vulns:
If you’re a Moscow-based zero-day exploit seller, all you have to do is e-mail a spyware company like Hacking Team [and get] paid tens of thousands of dollars in just a matter of weeks.
…
The Moscow vendor’s first e-mail, dated October 13, 2013, was short and to the point. ... Hacking Team staff discussed how to proceed and were excited when Guido Landi...discovered that Toropov had a reputation. ... On October 25, 2013, the two parties came to an agreement.
…
It’s clear after reviewing other e-mails in the Hacking team archive that the firm wasn’t just buying from Toropov but from numerous others as well. ... Eric Rabe, Hacking Team’s spokesman, did not immediately respond to [my] questions. MORE
Meanwhile, "Taylor Swift" shakes it off:
This is bad.
…
Just uninstall Flash. You really, really won't miss it and your browsing will be faster. [Or] just use Chrome, exploit kits don't seem able to pierce its security layer around Flash right now.
…
Freaking Steve Jobs was right about Flash.
…
You hear in the news about programs that hold people's files for ransom? A lot of those are delivered via exploit kits as they surfed web. ... Updating your system is the #1 way to protect it. But days like today, that isn't always enough. ... Remember: Your computer has value. People will steal your passwords, lock files, or use you to route illegal traffic through YOUR connection.
…
Imagine how many Flash 0days the NSA have [scream emoji] MORE
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.