pixel_dreams - Fotolia

Adobe to patch two more Flash flaws exposed by Hacking Team hack

Adobe plans to release security updates this week for two more Adobe Flash vulnerabilities exposed when hackers published documents belonging to Italy's controversial Hacking Team

Adobe is working on security patches for two zero-day Flash vulnerabilities revealed by hackers who broke into Italian surveillance software firm Hacking Team and published 400GB of data.

The leaked data included software, tools, zero-day exploits and documents that indicate the controversial surveillance software firm counts several oppressive governments among its customers.

Adobe rushed out an update for CVE-2015-5119 in response to reports that the vulnerability detailed in the Hacking Team leaked documents was being exploited in attacks.

Adobe plans to release a security update the week of 13-19 July 2015 for CVE-2015-5122 and CVE-2015-5123, which researchers have since uncovered in the leaked data.

The flaws are found in Adobe Flash Player 18.0.0.204 and earlier versions for Microsoft Windows, Macintosh and Linux.

Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system, Adobe said in a security bulletin.

“Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly,” the bulletin said.

Read more about zero-day exploits

CVE-2015-5122 was discovered and reported by FireEye Labs. Researchers found a proof of concept (PoC) attack for the vulnerability in the leaked data.

They said the PoC was well written like the previous PoC for CVE-2015-5119 by the same author, and uses similar constructs for exploiting the Use-After-Free vulnerability in the DisplayObject opaqueBackground property.

The vulnerability is triggered by freeing a TextLine object in the valueOf function of a custom class when setting the TextLine’s opaqueBackground property, the researchers wrote in a blog post.

CVE-2015-5123 was discovered and reported by Trend Micro, which said this vulnerability is also a valueOf trick bug.

However, compared with the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray, according to the researchers.

“Considering the Hacking team leak is publicly available, it poses risks to users. As such, we recommend users to disable Adobe Flash Player for the meantime until the patch from Adobe becomes available,” the researchers wrote.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Thanks, Adobe. Glad this flaw is finally getting fixed. Now on to the next gaping hole.

Has anyone every devised a wall so impenetrable that it could thwart all attacks...? We've been at it for thousands of years, building better defenses - whether mud & stone or chips & digits - to keep the bad guys out. And, time after time, the bad guys get in. (Or, in the case of recent prison breaks, get out.)

When will we finally realize that the same old ideas that failed every time before won't do much better this next time? Soon, I hope, before there's nothing left for the hackers to take.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close