X

Adobe promises patch for Hacking Team zero-day flaw

The security flaw affects every version of Flash Player and remained undetected until the catastrophic Hacking Team data breach.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

The vulnerability affects version 9 of Adobe Flash Player and above. Andrew Brookes/Getty Images

Adobe is rapidly creating a fix for a critical vulnerability affecting Flash Player which was only discovered after a hacker broke into Hacking Team's systems.

Servers belonging to surveillance firm Hacking Team were infiltrated over the weekend. In an attack the company called "sophisticated" which "took days or weeks to accomplish," a hacker walked away with over 400 gigabytes of corporate data.

The Milan-based firm is well-known for providing surveillance tools and spyware to government agencies, intelligence units and police forces worldwide, although specific information relating to these contracts was never discovered -- until now.

Considering Hacking Team's specialty in providing spyware and exploits, we are likely to see more vulnerabilities come to the surface as researchers comb through the 400GB data dump. We can, therefore, expect to see more emergency patches issued by software vendors as a result of these revelations -- hobbling Hacking Team's spying efforts as long as users keep their systems up-to-date.

Customer service history, financial reports, emails and exploit source code are only some of the files which have been scrutinized. Researchers, journalists, activists and other interested parties are delving through the stolen data, which has now grown beyond a single torrent and is available via mirrors, .onion addresses on the Tor network and through magnet links.

On Tuesday, Trend Micro researchers discovered a number of exploits and their coding as part of the data dump. Two of the exploits impact on Adobe Flash, while the other targets the Windows operating system.

The most critical vulnerability, described by Hacking Team in the information dump as the "most beautiful Flash bug for the last four years," is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory.

The vulnerability's proof-of-concept shows how the flaw can be exploited to open the Windows calculator, download and execute arbitrary malicious code on a victim's PC.

The vulnerability, which bypasses the Windows Control Flow Guard security system, affects Adobe Flash Player 9 or higher.

In an advisory, Adobe revealed the critical vulnerability has now been assigned a CVE number (CVE-2015-5119). The flaw affects all versions of Flash Player on Windows Linux and Mac systems.

"Adobe is aware of reports that an exploit targeting this vulnerability has been publicly published," the firm says.

According to Trend Micro researchers, the Angler exploit kit, Nuclear exploit pack and Neutrino exploit kit have all been updated to include the new flaw -- highlighting how important it is to keep your software up-to-date (if you insist on using Flash in the first place).

Adobe says a patch will be available on July 8.

This story originally posted as "Adobe tackles Hacking Team zero-day vulnerability" on ZDNet.