Yet another zero-day Flash exploit has been found in the massive data dump that is the result of a major compromise of Italian espionage software maker Hacking Team. Vulnerabilities CVE-2015-5122 and CVE-2015-5123 are similar to the previous Flash vulnerability (CVE-2015-5119 ) found in the Hacking Team arsenal CVE-2015-5119, however there is currently no patch available for it. Adobe has promised to release a patch on July 12th for these two critical vulnerabilities:
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015.
The vulnerability itself was discovered as the result of an active exploit that is now in the wild. This family of new zero-day Flash exploits have already been seen active as part of APT campaigns against corporations and government agencies. It is recommended that users and businesses either remove Flash from their browsers, or configure browsers to only run Flash in “click to play” mode, as well as patch systems immediately once an update is made available.