Security Experts:

Connect with us

Hi, what are you looking for?



Two New Flash Player Zero-Day Bugs Found in Hacking Team Leak

Researchers have identified exploits for two new Adobe Flash Player zero-day vulnerabilities in the Hacking Team leak. Adobe has promised to patch the newly discovered bugs sometime this week.

Researchers have identified exploits for two new Adobe Flash Player zero-day vulnerabilities in the Hacking Team leak. Adobe has promised to patch the newly discovered bugs sometime this week.

Last week, several security firms reported finding zero-day exploits for Flash Player (CVE-2015-5119) and Microsoft Windows vulnerabilities in the 400GB of data stolen by hackers from the systems of Italy-based spyware maker Hacking Team. Shortly after Adobe released an update to address the Flash Player bug, researchers reported finding two additional Flash exploits in the leaked data.

One of the new Flash Player zero-days (CVE-2015-5122), involving the opaqueBackground property of the DisplayObject class in ActionScript 3, was reported to Adobe by FireEye. The security company noted that the proof-of-concept (PoC) code for this use-after-free (UAF) flaw was likely written by the author of the PoC for CVE-2015-5119.

The second unpatched UAF vulnerability (CVE-2015-5123) is related to the ActionScript 3 BitmapData object. The issue was reported to Adobe by Trend Micro and the security researcher known online as “slipstream/RoL” (@TheWack0lian).

Both of these vulnerabilities affect Flash Player and earlier, and they allow a remote, unauthenticated attacker to execute arbitrary code on affected systems. According to an advisory published by Adobe over the weekend, patches for these bugs will be made available in the week of July 12.

The security researcher known as Kafeine reported that the Angler exploit kit has been leveraging CVE-2015-5122 since Saturday. Other exploit kits will likely follow soon.

The first Flash Player vulnerability whose existence came to light following the Hacking Team breach was integrated into several exploit kits. The flaw was also leveraged by advanced persistent threat (APT) actors such as Wekby (APT 18) and UPS (APT3) in their operations.

In a statement published last week, Hacking Team said it was concerned that the code published by hackers allows anyone to deploy the company’s surveillance software.

“Before the attack, HackingTeam could control who had access to the technology which was sold exclusively to governments and government agencies. Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so,” Hacking Team said. “We believe this is an extremely dangerous situation.”

Despite numerous accusations that it sold its solutions to totalitarian governments, the Italian company has denied doing anything illegal. However, the data leaked as a result of the breach appears to show that the company was well aware that its products had been used in countries such as Sudan, Ethiopia and Saudi Arabia.

Marietje Schaake, a Dutch member of the European Parliament, has asked the European Commission and Italian authorities to investigate Hacking Team’s activities.

Related: Hacking Team’s Flash Player Zero-Day Spotted in Attacks Prior to Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.