Adobe tackles Hacking Team zero-day vulnerability

The security flaw affects every version of Flash Player and remained undetected until the catastrophic Hacking Team data breach.
Written by Charlie Osborne, Contributing Writer

Adobe is rapidly creating a fix for a critical vulnerability affecting Flash Player which was only discovered after a hacker broke into Hacking Team's systems.

Servers belonging to surveillance firm Hacking Team were infiltrated over the weekend. In an attack the company called "sophisticated" which "took days or weeks to accomplish," a hacker walked away with over 400GB of corporate data.

The Milan, Italy-based firm is well-known for providing surveillance tools and spyware to government agencies, intelligence units and police forces worldwide, although specific information relating to these contracts was never discovered -- until now.

Customer service history, financial reports, emails and exploit source code are only some of the files which have been scrutinized. Researchers, journalists, activists and other interested parties are delving through the stolen data, which has now grown beyond a single torrent and is available via mirrors, .onion addresses on the Tor network and through magnet links.

On Tuesday, Trend Micro researchers discovered a number of exploits and their coding as part of the data dump. Two of the exploits impact on Adobe Flash, while the other targets the Windows operating system.

The most critical vulnerability, described by Hacking Team in the information dump as the "most beautiful Flash bug for the last four years," is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory.

The vulnerability's proof-of-concept shows how the flaw can be exploited to open the Windows calculator, download and execute arbitrary malicious code on a victim's PC.

The vulnerability, which bypasses the Windows Control Flow Guard security system, affects Adobe Flash Player 9 or higher.

In an advisory, Adobe revealed the critical vulnerability has now been assigned a CVE number (CVE-2015-5119). The flaw affects all versions of Flash Player on Windows Linux and Mac systems.

"Adobe is aware of reports that an exploit targeting this vulnerability has been publicly published," the firm says.

According to Trend Micro researchers, the Angler exploit kit, Nuclear exploit pack and Neutrino exploit kit have all been updated to include the new flaw -- highlighting how important it is to keep your software up-to-date (if you insist on using Flash in the first place).

Adobe says a patch will be available on July 8.

Read on: Top picks

Editorial standards