Adobe just can’t seem to get any respite from the seemingly endless onslaught of zero-day vulnerabilities being discovered in its much maligned Flash Player. Adobe is set to patch two new zero-day Flash vulnerabilities this week, both of which were discovered in the data dump from the breach of Italian security vendor Hacking Team.
Hacking Team’s breach was disclosed on June 5, with 400GB of information publicly released, including information on multiple zero-day exploits.
The two new Flash zero-day exploits—CVE-2015-5122 and CVE-2015-5123—join the CVE-2015-5119 exploit that was also discovered in the Hacking Team breach. Adobe patched CVE-2015-5119 on July 8 as part of an update that provided fixes for 36 flaws in the company’s Flash Player.
The CVE-2015-5122 flaw was first discovered in the Hacking Team documents by security firm FireEye. “The CVE-2015-5122 PoC (Proof of Concept) is well written like the previous PoC for CVE-2015-5119 by the same author,” Dhanesh Kizhakkinan, senior research scientist at FireEye, wrote in a blog post. “The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground.”
The discovery of the second new zero-day—CVE-2015-5123—being patched by Adobe is credited to security firm Trend Micro. “Based on our analysis, this vulnerability is also of valueOf trick bug,” Peter Pi, threats analyst at Trend Micro, wrote in a blog post. “However, compared to the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray.”
What that basically means is that all three zero-days found in the Hacker Team files were some form of a use-after-free (UAF) memory corruption issue. With a UAF flaw, an attacker is able to make use of authorized memory that had been allocated for use by Flash to execute arbitrary code. UAF flaws are increasingly common across multiple classes of Web-based software and show up regularly in Microsoft’s Patch Tuesday reports for Internet Explorer (IE).
Thirty-eight vulnerabilities fixed in a single month is not a good sign for Adobe’s Flash. Across the Web, security experts are once again calling for Flash to be removed from user systems to limit risk. No doubt, there will be some users who will in fact try to remove Flash, though I suspect most will not.
The ball is now very much in Adobe’s court, and it will be interesting to see how Adobe—along with those in the security researcher community—is able to come up with a solution to the challenge of UAF weakness in Flash.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.