Symantec is aware of a second vulnerability (CVE-2015-5122) in Adobe Flash Player that’s associated with Hacking Team, the Italian company which recently suffered a major data breach. The existence of the unpatched vulnerability has been confirmed by Adobe in its security bulletin.
Symantec’s analysis has confirmed that the vulnerability can be successfully exploited with the leaked proof-of-concept (PoC) code on the most recent version of Adobe Flash Player (22.214.171.124) in Internet Explorer. A successful exploitation could cause a crash and potentially allow an attacker to compromise the affected computer.
Though it may be possible that this vulnerability has previously been exploited in the wild in limited attacks, because the details of the vulnerability are now publicly available, attackers will likely incorporate the exploit into the exploit kits in the coming days. The exploit for the previous Flash Player bug, known as the Adobe Flash Player ActionScript 3 ByteArray Use After Free Remote Memory Corruption Vulnerability (CVE-2015-5119), only took about one day to be included in exploit kits.
Users who are concerned about this issue can temporarily disable Adobe Flash Player in their browser by taking the following steps:
Internet Explorer versions 10 and 11
You can re-enable Adobe Flash Player by repeating the same process, selecting “Shockwave Flash Object”, and then clicking on the “Enable” button.
Guidance for users of earlier versions of Internet Explorer is available on the Microsoft website. Select the version of Internet Explorer you are using at the top right corner.
You can re-enable Adobe Flash Player by repeating the same process, selecting “Shockwave Flash”, and then clicking on the “Enable” button.
Symantec and Norton products detect the proof-of-concept exploit with the following detections:
Intrusion prevention system:
Update – July 14, 2015:
Adobe has released security updates for Adobe Flash Player for Windows, Mac OS X, and Linux to address this critical Adobe Flash Player Use After Free Remote Memory Corruption Vulnerability (CVE-2015-5122), as well as a third vulnerability related to the Hacking Team breach, the Adobe Flash Player ActionScript 3 BitmapData Use After Free Remote Memory Corruption Vulnerability (CVE-2015-5123). Adobe added it is aware of reports that exploits targeting these vulnerabilities have been published publicly.