Two further critical Flash zero-days appear from Hacking Team breach

The fallout from the data exfiltration of Hacking Team continues, with Adobe's Flash once again the target, and all current versions of Flash impacted.

FireEye went public with its zero-day discovery first. The security company said that the new exploit, CVE-2015-5122, followed the format set by the first Flash zero-day to appear last week from the Hacking Team data, and also made use of a Use-After-Free vulnerability.

"The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine's opaqueBackground," FireEye's Dhanesh Kizhakkinan said in a blog post. "Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98)."

"Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100. This enables the object to change an adjacent Vector object's length to 0x40000000."

Following this action, the CVE-2015-5122 exploit can then scan memory to find Kernel32.dll and run its payload.

Over the weekend, Trend Micro said it had found another zero-day, CVE-2015-5123, that was similar to CVE-2015-5122 and reported it to Adobe.

Trend Micro also revealed over the weekend that it had found a Java zero-day targeting NATO and a US defense organisation.

"In light of the Java zero-day attack we also discovered and discussed, disabling both Flash and Java is advisable," Trend Micro said. "Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers."

In its acknowledgement, Adobe said the two vulnerabilities were critical, and impacted Windows, OS X, and Linux.

"Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said. "Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015."

The affected versions are Flash Player 18.0.0.203 and earlier for Windows and OS X, Flash Player 18.0.0.204 and earlier for the player bundled with Google Chrome on Linux, Flash Player Extended Support Release version 13.0.0.302 and earlier 13.x releases on Windows and OS X, and Flash Player Extended Support Release version 11.2.202.481 and earlier 11.x releases on Linux.

It has been a week since 400GB of corporate data made its way out of Hacking Team and appeared online. Since that time, the data has alledged Hacking Team had customers in Italy, the US, Spain, Singapore, Malaysia, Saudi Arabia, Mexico, Luxembourg, Egypt, Oman, Panama, Turkey, the UAE, Nigeria, Ethiopia, Poland, Thailand, Denmark and Israel, among others.

In Australia, leaked emails have said that ASIO, AFP, NT Police, Victoria's Independent Broad-based Anti-corruption Commission, and NSW Police were allegedly interested in using Hacking Team products.