Internet users should take renewed caution when using both Adobe Flash and Oracle's Java software framework; over the weekend, three previously unknown critical vulnerabilities that could be used to surreptitiously install malware on end-user computers were revealed in Flash and Java.
The Java vulnerability is significant because attackers are actively exploiting it in an attempt to infect members of NATO, researchers from security firm Trend Micro warned in a blog post published Sunday. They said the attack involves a separate Windows vulnerability indexed as CVE-2012-015, which Microsoft addressed in 2012 in bulletin MS12-027. Oracle developers are working on a fix, the blog post said.
The two Flash vulnerabilities were unearthed late last week in the 400-gigabyte dump taken from Hacking Team, the Italian spyware developer that was breached eight days ago. The two zero-day flaws, designated CVE-2015-5122 and CVE-2015-5123, are in addition to a separate previously unknown Flash vulnerability found by Hacking Team that Adobe patched on Wednesday. The currently unpatched vulnerabilities reside in the Windows, Mac OS X, and Linux versions of the most recent versions of Flash and allow attackers to remotely execute malicious code.