Third Hacking Team Flash Zero-Day Found
For the third time in a week, researchers have discovered a zero-day vulnerability in Adobe’s Flash Player browser plugin. Like the previous two discoveries, this one came to light only after hackers dumped online huge troves of documents stolen from Hacking Team — an Italian security firm that sells software exploits to governments around the world.
News of the latest Flash flaw comes from Trend Micro, which said it reported the bug (CVE-2015-5123) to Adobe’s Security Team. Adobe confirmed that it is working on a patch for the two outstanding zero-day vulnerabilities exposed in the Hacking Team breach.
We are likely to continue to see additional Flash zero day bugs surface as a result of this breach. Instead of waiting for Adobe to fix yet another flaw in Flash, please consider removing or at least hobbling this program.
James Vincent (via John Gruber):
Alex Stamos, the recently appointed chief security officer at Facebook, has called on software company Adobe to announce an “end-of-life date for Flash.” In a pair of tweets sent over the weekend, Stamos echoed a number of recent complaints from the security community that the software has become the vector for just too many hacking vulnerabilities.