Two more Flash zero-day vulnerabilities from the Hacking Team breach were recently discovered, and security researchers...
are scrambling to beat malicious actors to punch while warning that more vulnerabilities will likely come to light.
Trend Micro Inc.'s Peter Pi and FireEye Inc.'s Dhanesh Kizhakian reported the latest vulnerabilities, CVE-2015-5123 and CVE-2015-5122, respectively. An Adobe Security Bulletin was issued last week for the vulnerabilities, which Adobe Systems Inc. referred to in its blog as critical and warned a successful exploit could lead to a system crash and complete takeover by the attacker.
Yesterday Adobe released patches to fix the use-after-free vulnerability and the memory corruption vulnerability. But security professionals are concerned that the data from controversial Italian surveillance vendor Hacking Team, which was breached last week, will only lead to more possible exploits.
"The information about the vulnerabilities is buried in that 400 GB trove of information that's being released," Christopher Budd, global threat communications manager at Trend Micro, said. "Security firms like us, FireEye and others are going through what's been released to find what's there."
According to Budd, it is likely there will be more vulnerabilities discovered as the stockpile of Hacking Team data is sifted through by hackers and cybercriminals.
"They're up on various torrents," Budd said. "The Hacking Team has tried to get them taken down -- but once something has been leaked to the Internet, it never goes away."
The vulnerabilities disclosed have been quickly made available for all exploit kits, according to noted French security researcher Kafeine.
"Only Angler (since Saturday) and Neutrino since [a] few hours [ago] are using the last exploit (CVE-2015-5122), which is still a zero-day," Kafeine said in an email to SearchSecurity on Monday prior to the Adobe patch release.
The previous Flash exploit from the breach was spread by Angler, Neutrino, Hanjuan, RIG, Nuclear Pack and almost all known exploit kits, according to Kafeine, and that will likely be the case with the two new Flash zero-day bugs as well.
For now, Adobe has warned its patrons to keep its products updated to avoid exploitation. "The majority of attacks we are seeing are exploiting software installations that are not up-to-date on the latest security updates," Wiebke Lips, senior manager of corporate communications at Adobe, told SearchSecurity in an email. "Adobe therefore always strongly recommends that -- as soon as these updates become available -- users follow security best practices by installing the latest security updates as the best possible defense against those with malicious intent."
"The reason is that the [anti-exploit] product does not use signatures like a traditional antivirus, but instead uses a combination of several layers checking for ASLR/DEP bypasses, malicious shellcode attempting operations out of the legitimate realm and inappropriate application behaviors," Jerome Segura, senior security researcher at Malwarebytes, said. "Once a system is infected it might be too late to save it, so users really need to start taking a proactive approach and stop the infection vectors (such as exploits) cold in their tracks."
Find out more about how hackers exploited a Flash zero-day flaw with phishing schemes