pixel_dreams - Fotolia

Adobe to patch two more Flash flaws exposed by Hacking Team hack

Adobe plans to release security updates this week for two more Adobe Flash vulnerabilities exposed when hackers published documents belonging to Italy's controversial Hacking Team

Adobe is working on security patches for two zero-day Flash vulnerabilities revealed by hackers who broke into Italian surveillance software firm Hacking Team and published 400GB of data.

The leaked data included software, tools, zero-day exploits and documents that indicate the controversial surveillance software firm counts several oppressive governments among its customers.

Adobe rushed out an update for CVE-2015-5119 in response to reports that the vulnerability detailed in the Hacking Team leaked documents was being exploited in attacks.

Adobe plans to release a security update the week of 13-19 July 2015 for CVE-2015-5122 and CVE-2015-5123, which researchers have since uncovered in the leaked data.

The flaws are found in Adobe Flash Player and earlier versions for Microsoft Windows, Macintosh and Linux.

Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system, Adobe said in a security bulletin.

“Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly,” the bulletin said.

Read more about zero-day exploits

CVE-2015-5122 was discovered and reported by FireEye Labs. Researchers found a proof of concept (PoC) attack for the vulnerability in the leaked data.

They said the PoC was well written like the previous PoC for CVE-2015-5119 by the same author, and uses similar constructs for exploiting the Use-After-Free vulnerability in the DisplayObject opaqueBackground property.

The vulnerability is triggered by freeing a TextLine object in the valueOf function of a custom class when setting the TextLine’s opaqueBackground property, the researchers wrote in a blog post.

CVE-2015-5123 was discovered and reported by Trend Micro, which said this vulnerability is also a valueOf trick bug.

However, compared with the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray, according to the researchers.

“Considering the Hacking team leak is publicly available, it poses risks to users. As such, we recommend users to disable Adobe Flash Player for the meantime until the patch from Adobe becomes available,” the researchers wrote.

Read more on Hackers and cybercrime prevention