CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Two New Flash Player Zero-Day Bugs Found in Hacking Team Leak

Researchers have identified exploits for two new Adobe Flash Player zero-day vulnerabilities in the Hacking Team leak. Adobe has promised to patch the newly discovered bugs sometime this week.

Researchers have identified exploits for two new Adobe Flash Player zero-day vulnerabilities in the Hacking Team leak. Adobe has promised to patch the newly discovered bugs sometime this week.

Last week, several security firms reported finding zero-day exploits for Flash Player (CVE-2015-5119) and Microsoft Windows vulnerabilities in the 400GB of data stolen by hackers from the systems of Italy-based spyware maker Hacking Team. Shortly after Adobe released an update to address the Flash Player bug, researchers reported finding two additional Flash exploits in the leaked data.

One of the new Flash Player zero-days (CVE-2015-5122), involving the opaqueBackground property of the DisplayObject class in ActionScript 3, was reported to Adobe by FireEye. The security company noted that the proof-of-concept (PoC) code for this use-after-free (UAF) flaw was likely written by the author of the PoC for CVE-2015-5119.

The second unpatched UAF vulnerability (CVE-2015-5123) is related to the ActionScript 3 BitmapData object. The issue was reported to Adobe by Trend Micro and the security researcher known online as “slipstream/RoL” (@TheWack0lian).

Both of these vulnerabilities affect Flash Player 18.0.0.204 and earlier, and they allow a remote, unauthenticated attacker to execute arbitrary code on affected systems. According to an advisory published by Adobe over the weekend, patches for these bugs will be made available in the week of July 12.

The security researcher known as Kafeine reported that the Angler exploit kit has been leveraging CVE-2015-5122 since Saturday. Other exploit kits will likely follow soon.

The first Flash Player vulnerability whose existence came to light following the Hacking Team breach was integrated into several exploit kits. The flaw was also leveraged by advanced persistent threat (APT) actors such as Wekby (APT 18) and UPS (APT3) in their operations.

In a statement published last week, Hacking Team said it was concerned that the code published by hackers allows anyone to deploy the company’s surveillance software.

Advertisement. Scroll to continue reading.

“Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” Hacking Team said. “We believe this is an extremely dangerous situation.”

Despite numerous accusations that it sold its solutions to totalitarian governments, the Italian company has denied doing anything illegal. However, the data leaked as a result of the breach appears to show that the company was well aware that its products had been used in countries such as Sudan, Ethiopia and Saudi Arabia.

Marietje Schaake, a Dutch member of the European Parliament, has asked the European Commission and Italian authorities to investigate Hacking Team’s activities.

Related: Hacking Team’s Flash Player Zero-Day Spotted in Attacks Prior to Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.