Java and Flash both vulnerable—again—to new 0-day attacks

Internet users should take renewed caution when using both Adobe Flash and Oracle’s Java software framework; over the weekend, three previously unknown critical vulnerabilities that could be used to surreptitiously install malware on end-user computers were revealed in Flash and Java.

The Java vulnerability is significant because attackers are actively exploiting it in an attempt to infect members of NATO, researchers from security firm Trend Micro warned in a blog post published Sunday. They said the attack involves a separate Windows vulnerability indexed as CVE-2012-015, which Microsoft addressed in 2012 in bulletin MS12-027. Oracle developers are working on a fix, the blog post said.

The two Flash vulnerabilities were unearthed late last week in the 400-gigabyte dump taken from Hacking Team, the Italian spyware developer that was breached eight days ago. The two zero-day flaws, designated CVE-2015-5122 and CVE-2015-5123, are in addition to a separate previously unknown Flash vulnerability found by Hacking Team that Adobe patched on Wednesday. The currently unpatched vulnerabilities reside in the Windows, Mac OS X, and Linux versions of the most recent versions of Flash and allow attackers to remotely execute malicious code.

There’s no indication that either of the newly discovered Flash vulnerabilities are being actively exploited, but the published Hacking Team materials give complete technical details and include proof-of-concept attack code. That means it won’t be hard for more experienced hackers to quickly fold the attacks into exploit kits that are sold in underground crime forums online. Adobe has issued an advisorystating that the bugs will be patched later this week. Ars is once again advising readers to limit, or if possible completely curtail, use of both Flash and Java, at least until fixes for these three critical bugs are available.