This is an extremely serious news; especially for Oracle’s Java and Adobe Flash developers. Reports confirm that these two programming languages are under zero-day attack. The reports also mention that Java bug is aggressively exploited; while Flash bugs are most likely to be targeted by the malware writers. Out of these, Java flaws are considered to be the most important, because malware writers are aiming to infect the members of NATO through the zero-day attack on Java.
Vulnerabilities and Zero-day attack
The report of zero-day attack on Java and Flash came from the security firm, Trend Micro. Trend Micro’s researchers mentioned in a blog post that the attacks are severe. Certain Java vulnerabilities are being exploited during this attack. The reports also mention that a Windows bug (Indexed as CVE-2012-015) is also a part of this zero-day attack. Microsoft had already addressed this bug in 2012 and released it in the bulletin MS12-027.
On the other hand, there are two Adobe Flash vulnerabilities that may be targeted by the malware writers in the zero-day attack. The flaws were found when 400-gigabyte dump was taken from the Hacking Team that was breached a week back. The Hacking Team is an Italian spyware developer. These two vulnerabilities are indexed as CVE-2015-5122 and CVE-2015-5123. The two bugs were found by the Hacking Team and were patched by Adobe on Wednesday. However, the designated vulnerabilities lie in Linux, Mac OS X and Windows versions. With zero-day attack the attackers can remotely execute the code, hence making it difficult to track and stop.
Reports from Trend Micro does not specifically say that Adobe Flash flaws are being actively targeted in the zero-day attack. However, both Adobe and Oracle developers are working on to fix these bugs which are the root cause of the zero-day attack. Until then, users are advised not to use Flash and Java for safety purpose.
Read more about report on Trend Micro.