Hacking Team leak releases potent Flash 0day into the wild
Researchers sifting through the
confidential material stolen from spyware developer Hacking Team
have already uncovered a weaponized exploit for a currently unpatched vulnerability in Adobe Flash, and they also may have uncovered attack code targeting
Microsoft Windows and a hardened Linux module known as SELinux.
Hacking Team documentation accompanying the Flash exploit said it targeted “the most beautiful Flash bug for the last four years,” according to a
blog post published Wednesday
by researchers from antivirus provider Trend Micro. The use-after-free flaw resides in a Flash Bytearray object. Researchers at competing AV company Symantec
have confirmed the existence of a Flash exploit that works against the latest version of Flash (18.0..194). They also have confirmed it works against people
viewing content with Internet Explorer, and it’s presumed it will work against other browsers as well.
“Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted
computer,” they wrote in a
blog post published Tuesday.
“Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.”
An Adobe spokeswoman said company officials are aware of the finding and expect to release a fix on Wednesday. The officials have no indication the vulnerability
is being actively exploited at the moment. The zeroday was one of two Flash exploits Trend Micro researchers reported finding, with the other one targeting
a vulnerability cataloged as CVE-2015-0349, which
Adobe patched in April.
Until a fix is installed, readers should consider disabling Flash, particularly when browsing websites they are unfamiliar with.
Separately, there was a
report on Twitter
from a well-known exploit broker of a separate zeroday in the Windows kernel. An English translation of a technical analysis of the exploit leaked from
Hacking Team, which is
indicates the vulnerability is in every version of Windows since Windows XP. The so-called escalation of privileges exploit could be used in combination
with another exploit to increase an attacker’s access to a targeted machine.
Users on Reddit
also reported finding a previously unknown vulnerability in SELinux
this Github repository,
which appeared to suggest the exploit could be used against Android phones, which incorporate the Linux module. SELinux developers have yet to weigh in
on the reports.
The exploits can be used to surreptitiously install Hacking Team surveillance software, or other types of malware, on vulnerable computers with little
or no indication anything is amiss. If the exploits leaked from the
are limited to two or three unpatched vulnerabilities in Flash, Windows, and SELinux, the resulting damage will be much less severe than it might have
been. Still, with 400 gigabytes of data to digest, there may yet be other surprises to find.