News Stay informed about the latest enterprise technology news and product updates.

Adobe patches Flash zero-day found in Hacking Team data breach

Adobe patches a Flash zero-day vulnerability found as part of the massive data breach of Hacking Team. Experts recommend speedy remediation as the flaw has been added to multiple exploit kits.

The massive Hacking Team data breach led to the release of 400GB worth of data including a zero-day vulnerability...

for Adobe Flash. Adobe has released an out-of-band patch for the flaw just two days after it was discovered.

The vulnerability was described by the Hacking Team in a readme file in the data dump as "the most beautiful Flash bug for the last four years". Accompanying the readme in the data was a proof-of-concept exploit of the flaw.

Adobe categorized the vulnerability (CVE-2015-5119) as critical and said it affects Flash Player versions 18.0.0.194 and earlier on Windows and Mac, and versions 11.2.202.468 and earlier on Linux. Successful exploitation of the flaw could allow remote code execution.

Security researcher Kafeine found that the vulnerability has already been added to the Angler, Fiddler, Nuclear and Neutrino exploit kits. Because of this, admins are recommended to apply the patch as soon as possible.

Also found in the Hacking Team data was another Adobe Flash zero-day (CVE-2015-0349), which was patched in April, and a zero-day affecting the Windows kernel. The inclusion of these zero-days has caused experts to question if these exploits are being used by Hacking Team clients, including law enforcement and governments.

"As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully," said Ken Westin, security analyst for Tripwire. "Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations."

Hacking Team spokesman Eric Rabe confirmed the breach and said that while law enforcement is investigating, the company suggests its clients suspend the use of its surveillance tools until it can be determined what exactly has been exposed.

In a new statement, Rabe warned that its software could be used by anyone because "sufficient code was released to permit anyone to deploy the software against any target of their choice.

"Before the attack, Hacking Team could control who had access to the technology that was sold exclusively to governments and government agencies," Rabe wrote. "Now, because of the work of criminals, that ability to control who uses the technology has been lost. Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. We believe this is an extremely dangerous situation."

Next Steps

Learn how exploit kits can revolutionize automated malware production.

Dig Deeper on Microsoft Patch Tuesday and patch management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

We may gripe about things like "Don't take away my flash! My apps won't work" but on the other side we gripe when we get hacked because of these flaws. We cannot have it both ways, Flash is old and I feel it's time we need to move on to more secure means of accomplishing the task at hand.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close