Adobe has acknowledged the existence of two new critical security flaws affecting Flash Player and has promised a fix to protect users from the zero-day vulnerabilities.
It has been a busy week for Adobe, provider of the Flash Player software. Adobe Flash is used to stream video content across the web -- and is usually subject to a monthly patch update to fix security flaws as and when they are discovered.
However, due to a cyberattack on surveillance and spyware firm Hacking Team's servers, Adobe is now working to fix vulnerabilities which, until now, have not been made public.
Last week, Adobe issued a fix for a zero-day vulnerability (CVE-2015-5119) -- undetected until the attack on Hacking Team's servers. The cyberattack led to the theft of 400GB in corporate data, emails, financial reports and exploit source code. As researchers continue to rifle through the data we are likely to see more vulnerabilities in common software systems revealed.
Milan-based Hacking Team is known for supplying surveillance tools and software to governments worldwide. A Hacking Team executive told ZDNet the attack was "sophisticated" and likely "took days or weeks to accomplish," although no culprit has yet been tracked down.
The last Flash-based vulnerability, dubbed the "most beautiful Flash bug for the last four years" in Hacking Team's internal notes, is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory, and affects Adobe Flash Player 9 or higher.
Over the weekend, two additional security flaws -- deemed critical -- have been reported to Adobe, CVE-2015-5122 and CVE-2015-5123.
Originally discovered within Hacking Team files by cybersecurity firm FireEye, a proof-of-concept (PoC) shows that CVE-2015-5122 uses similar constructs to CVE-2015-5119 for exploiting the use-after-free vulnerability in the DisplayObject function. The flaw can be exploited by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine's opaqueBackground. As explained by FireEye researchers:
"Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98). Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100. This enables the object to change an adjacent Vector object's length to 0x40000000. Once exploit achieves this, it follows the same mechanism that was used in CVE-2015-5119 PoC."
This, in turn, allows for attackers to execute shellcode, which pops up a calculator:
The flaw affects Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Mac and Linux.
The other vulnerability, CVE-2015-5123, was discovered by Trend Micro. Affecting all versions of Adobe Flash in Windows, Mac, and Linux, the flaw is a valueOf trick bug which relates to the BitmapData object and not the TextLine and ByteArray -- unlike the previously discovered exploits.
The vulnerability can be triggered by preparing two Array objects sourced from a new BitmapData object and assigned MyClass object parameters. Once the valueOf function of MyClass is in override, the BitmapData.paletteMap is called with the two Arrayobjects as parameters, thereby triggering the valueOf function. In the valueOf function, the next call is made to BitmapData.dispose() to dispose the underlying memory of BitmapDataobject, which in turn causes Flash Player to crash.