pixel_dreams - Fotolia
Adobe is working on security patches for two zero-day Flash vulnerabilities revealed by hackers who broke into Italian surveillance software firm Hacking Team and published 400GB of data.
The leaked data included software, tools, zero-day exploits and documents that indicate the controversial surveillance software firm counts several oppressive governments among its customers.
Adobe rushed out an update for CVE-2015-5119 in response to reports that the vulnerability detailed in the Hacking Team leaked documents was being exploited in attacks.
Adobe plans to release a security update the week of 13-19 July 2015 for CVE-2015-5122 and CVE-2015-5123, which researchers have since uncovered in the leaked data.
The flaws are found in Adobe Flash Player 220.127.116.11 and earlier versions for Microsoft Windows, Macintosh and Linux.
Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system, Adobe said in a security bulletin.
“Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly,” the bulletin said.
Read more about zero-day exploits
- Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft released a security update.
- Exploits of latest Adobe Flash Player zero-day vulnerability highlight threat to the enterprise of web-based exploit kits, such as Angler.
- The hacking black market is outbidding legitimate IT firms for disclosure information on zero-day exploits, according to a report from thinktank Rand.
CVE-2015-5122 was discovered and reported by FireEye Labs. Researchers found a proof of concept (PoC) attack for the vulnerability in the leaked data.
They said the PoC was well written like the previous PoC for CVE-2015-5119 by the same author, and uses similar constructs for exploiting the Use-After-Free vulnerability in the DisplayObject opaqueBackground property.
The vulnerability is triggered by freeing a TextLine object in the valueOf function of a custom class when setting the TextLine’s opaqueBackground property, the researchers wrote in a blog post.
CVE-2015-5123 was discovered and reported by Trend Micro, which said this vulnerability is also a valueOf trick bug.
However, compared with the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray, according to the researchers.
“Considering the Hacking team leak is publicly available, it poses risks to users. As such, we recommend users to disable Adobe Flash Player for the meantime until the patch from Adobe becomes available,” the researchers wrote.