Adobe tomorrow is expected to release an updated version of Flash Player that will patch a zero-day vulnerability uncovered among the 400 GB of data stolen from Hacking Team.
The controversial Italian intrusion and surveillance software vendor was breached and on Sunday, private documents, including internal emails and customer invoices, were leaked. The published loot shows sales to oppressive governments, a practice the company’s marketing material says it did not engage in.
Adobe’s advisory, published a short time ago, is short on details other than to say that the vulnerability has likely been publicly exploited. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” said the Adobe advisory. The vulnerability was reported to Adobe by researcher Morgan Marquis-Boire and Google Project Zero. Marquis-Boire and Adobe confirmed to Threatpost that the patch will address the Hacking Team zero day.
As researchers comb through the hacked documents and data, there are likely to be other unreported flaws in popular software. The Grugq, a security researcher based in Bangkok, said on his Twitter feed that a Windows zero-day is also documented.
All that fear about 0day and HackingTeam had only 2 that are relevant (flash + win32k).
— thaddeus e. grugq thegrugq@infosec.exchange (@thegrugq) July 7, 2015
Hacking Team plays in a market heavily scrutinized by security and privacy experts who say that oppressive governments such as Sudan and Ethiopia—both Hacking Team customers—can abuse the software to keep tabs on citizens and suppress the work of activists, journalists and others. Citizen Lab at the University of Toronto published an open letter earlier this year to Hacking Team executives asking why Ethiopian journalists were targeted by one of their customers, a supposed violation of the Milan-based company’s policy.
Since the Hacking Team breach was disclosed on Sunday afternoon, the story has moved quickly as more details are disclosed about customers and internal operations; the highest revenue-producing countries for Hacking Team are Mexico, Italy and Morocco. The U.S. is also listed among its customers, with the Drug Enforcement Agency and FBI buying spyware from the firm.
It was also disclosed that Hacking Team had an enterprise developer certificate from Apple, allowing it to build sign OS X and iOS applications and distribute them internally. Apple has since revoked Hacking Team’s certificate.
The EU Parliament, meanwhile, today asked the European Commission whether Hacking Team’s sales to certain countries is a violation of EU sanctions. Marietje Schaake, a Dutch member of the European Union Parliament, has been outspoken about the use of surveillance programs by sanctioned nations and likened companies such as Hacking Team to modern-day arms dealers.