FireEye was first:
FireEye went public with its zero-day discovery first. The security company said that the new exploit, CVE-2015-5122, followed the format set by the first Flash zero-day to appear last week from the Hacking Team data, and also made use of a Use-After-Free vulnerability.Then Trend Micro discovered a dangerous Flash bug as well as a zero-day vulnerability in Java:
"The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine's opaqueBackground," FireEye's Dhanesh Kizhakkinan said in a blog post. "Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98)."
Over the weekend, Trend Micro said it had found another zero-day, CVE-2015-5123, that was similar to CVE-2015-5122 and reported it to Adobe.Web users are recommended to disable Flash and Java until the vulnerabilities are plugged.
Trend Micro also revealed over the weekend that it had found a Java zero-day targeting NATO and a US defense organisation.
Source: ZD Net