Security Experts:

Two New Flash Player Zero-Day Bugs Found in Hacking Team Leak

Researchers have identified exploits for two new Adobe Flash Player zero-day vulnerabilities in the Hacking Team leak. Adobe has promised to patch the newly discovered bugs sometime this week.

Last week, several security firms reported finding zero-day exploits for Flash Player (CVE-2015-5119) and Microsoft Windows vulnerabilities in the 400GB of data stolen by hackers from the systems of Italy-based spyware maker Hacking Team. Shortly after Adobe released an update to address the Flash Player bug, researchers reported finding two additional Flash exploits in the leaked data.

One of the new Flash Player zero-days (CVE-2015-5122), involving the opaqueBackground property of the DisplayObject class in ActionScript 3, was reported to Adobe by FireEye. The security company noted that the proof-of-concept (PoC) code for this use-after-free (UAF) flaw was likely written by the author of the PoC for CVE-2015-5119.

The second unpatched UAF vulnerability (CVE-2015-5123) is related to the ActionScript 3 BitmapData object. The issue was reported to Adobe by Trend Micro and the security researcher known online as “slipstream/RoL” (@TheWack0lian).

Both of these vulnerabilities affect Flash Player 18.0.0.204 and earlier, and they allow a remote, unauthenticated attacker to execute arbitrary code on affected systems. According to an advisory published by Adobe over the weekend, patches for these bugs will be made available in the week of July 12.

The security researcher known as Kafeine reported that the Angler exploit kit has been leveraging CVE-2015-5122 since Saturday. Other exploit kits will likely follow soon.

The first Flash Player vulnerability whose existence came to light following the Hacking Team breach was integrated into several exploit kits. The flaw was also leveraged by advanced persistent threat (APT) actors such as Wekby (APT 18) and UPS (APT3) in their operations.

In a statement published last week, Hacking Team said it was concerned that the code published by hackers allows anyone to deploy the company’s surveillance software.

“Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” Hacking Team said. “We believe this is an extremely dangerous situation.”

Despite numerous accusations that it sold its solutions to totalitarian governments, the Italian company has denied doing anything illegal. However, the data leaked as a result of the breach appears to show that the company was well aware that its products had been used in countries such as Sudan, Ethiopia and Saudi Arabia.

Marietje Schaake, a Dutch member of the European Parliament, has asked the European Commission and Italian authorities to investigate Hacking Team’s activities.

Related: Hacking Team’s Flash Player Zero-Day Spotted in Attacks Prior to Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.