Trend Micro is aware of the recently discovered critical vulnerability (CVE-2015-5119) that has been found to affect all currently available versions of Adobe Flash, and wherein successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe has issued a security bulletin and has released version Version 126.96.36.199 to address this vunerabilty.
In terms of known exploits of this vulnerability, feedback from the Trend Micro Smart Protection Network has allowed us to learn that the Angler Exploit Kit and Nuclear Exploit Pack have been updated to include the recent Hacking Team Flash zero-day. In addition, Neutrino Exploit Kit is also said to include this zero-day.
Update (07 July 2015): Trend Micro is now aware of two (2) new additional Adobe Flash zero-day vulnerabilities connected with the widely reported Hacking Team breach. Information on the newly found vulnerabilities can be found in the following Trend Micro Security Blog postings:
- Another Zero-Day Vulnerability Arises from Hacking Team Data Leak
- New Zero-Day Vulnerability (CVE-2015-5123) in Adobe Flash Emerges from Hacking Team Leak
The two new Adobe Flash (CVE-2015-5122 and CVE-2015-5123) vulnerabilities have not been patched yet. Proof of concept (PoC) code exists for both of these, but there have not been active attacks against any of these to our knowledge, nor have any of these been included in exploit kits yet.
Adobe has promised to fix these newly discovered vulnerabilities the week of July 12, 2015.
Trend Micro Products and Protection
Trend Micro’s Vulnerability Response and Service Engineering teams are investigating to see what, if any, products and services may be affected and/or vulnerable. At the conclusion of this investigation we will take appropriate steps to address any issues that are identified.
If any Trend Micro product and services are affected, this Knowledge Base article will be updated to contain the most up-to-date list of products that have been tested for this vulnerability. This list will continually be updated as the investigation on additional products are completed, as well as information for any patches or solutions required if necessary.
In addition, Trend Micro has some solutions that already provide protection against this threat:
- Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest rules also have an additional layer of protection against this vulnerability. Specifically, Trend Micro has released the following rule for proactive protection:
- Deep Packet Inspection (DPI) rule 10068241 – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability (CVE-2015-5119)
- Deep Packet Inspection (DPI) rule 1006858 – Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability (CVE-2015-5122)
- Deep Packet Inspection (DPI) rule 1006859 – Adobe Flash Player BitmapData Remote Code Execution Vulnerability (CVE-2015-5123)
- The existing Sandbox with Script Analyzer engine, which is part of Trend Micro Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.
- The Browser Exploit Prevention (BEP) feature in our endpoint products such as Trend Micro Security and OfficeScan blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.
- Hacking Team Flash Zero-Day Integrated Into Exploit Kits (Trend Micro Security Intelligence Blog)
- A Look at the Open Type Font Manager Vulnerability from the Hacking Team Leak (Trend Micro Security Intelligence Blog)
- Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak (Trend Micro Security Intelligence Blog)
- Adobe Security Advisory for Flash Player