lolloj - Fotolia
Adobe is to issue a patch for the zero-day Flash vulnerability revealed by hackers who broke into Italian surveillance software firm Hacking Team and published 400GB of data at the weekend.
Adobe said in a security advisory it was aware of the critical vulnerability (CVE-2015-5119) in Adobe Flash Player 18.104.22.168 and earlier versions for Windows, Macintosh and Linux.
“Successful exploitation could cause a crash and allow an attacker to take control of the affected system,” Adobe said.
The vulnerability is reportedly being exploited in active attacks, according to security blogger Brian Krebs. “Several reports on Twitter suggested the exploit could be used to bypass Google Chrome‘s protective ‘sandbox’ technology, a security feature that forces the program to run in a heightened security mode designed to block attacks that target vulnerabilities in Flash,” he wrote in a blog post.
Google is also working on a patch for Chrome users.
According to researchers at security firm Malwarebytes, the Neutrino exploit kit is already using the Flash zero-day.
“This is one of the fastest documented case of immediate weaponisation in the wild, possibly thanks to the detailed instructions left by Hacking Team,” security researcher Jerome Segura wrote in a blog post.
Tools for espionage market
Ken Westin, senior security analyst for security firm Tripwire, said the market for zero-day vulnerabilities is alive and well.
“What the Hacking Team breach has revealed is also highly profitable. As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools – and if they are doing so lawfully,” he said.
According to Westin, the depth and amount of data compromised in this breach will reveal a great deal about the market for offensive tools designed for espionage.
Nick Cano, a researcher at Bromium, reported coming across another of the exploits exposed by those who hacked and published Hacking Team documents, which he believed could take over control of computer systems.
He said the Hacking Team exploit is reminiscent of the “ActionScript-Spray” attack used in CVE-2014-0322 and first documented by Bromium researcher Vadim Kotov.
CVE-2014-0322 used a UAF (user after free) vulnerability in Microsoft’s Internet Explorer, to increase the size of an ActionScriptVector object, giving the attacker access to the heap of the process.
Read more about zero-day exploits
- Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft had released a security update.
- Exploits of latest Adobe Flash Player zero-day vulnerability highlight threat to the enterprise of web-based exploit kits such as Angler.
- The hacking black market is outbidding legitimate IT firms for disclosure information on zero-day exploits, according to a report from thinktank Rand.
According to Cano, HackingTeam’s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine.
However, he noted that the zero-day is not weaponised, but is simply a proof of concept (PoC) that Hacking Team provided to customers.
Cano detailed the UAF vulnerability and how the Hacking Team PoC exploited that in a blog post.
The Hacking Team exploit comes with shellcode for Windows (both 32 and 64 bit) and Mac OSX (64 bit only).
“We’ve tested this exploit with the latest updated Flash Player 9 and Internet Explorer, which indicates that this is clearly a zero day risk to internet users today,” wrote Cano.
“Given legitimately sophisticated shellcode and mitigation bypass techniques similar to the ones documented by Bromium researcher Jared DeMott, this exploit has the potential to completely own almost any system that it hits.”
However, Cano added that the exploit can be blocked using “robust isolation technologies”.