Adobe has put the two outstanding Hacking Team Flash Player zero-day vulnerabilities in check.
Today, Adobe released an updated Flash Player that patches CVE-2015-5122 and CVE-2015-5123, two use-after-free bugs uncovered and exploited by the controversial Italian surveillance software vendor. The bugs were found as researchers combed through the 400 Gb of data stolen from Hacking Team and posted online July 5.
Since the disclosures, three Flash zero days and an unpatched, publicly exploited Windows kernel privilege escalation vulnerability have been emerged from the Hacking Team cache. Adobe has already patched the first Flash zero day, CVE-2015-5119, and it is unknown whether Microsoft will today patch the Windows 0day as part of its monthly Patch Tuesday security bulletins.
The Adobe patches come less than 24 hours after browser vendor Mozilla announced that it had disabled Flash by default in Firefox. Prominent security figures, such as new Facebook CSO Alex Stamos, have been vocal about Adobe killing off Flash entirely. Flash has long been a favorite target of criminal and nation-state hackers for its cross-platform ubiquity, and constant spate of security vulnerabilities.
CVE-2015-5122, disclosed to Adobe by FireEye, is an ActionScript 3 opaqueBackground use-after-free bug, while CVE-2015-5123 is a BitmapData use-after free bug. According to the DHS CERT, both bugs can be exploited by an attacker tricking a visitor into landing on a website hosting an exploit, and allow for complete takeover of a compromised machine
Exploit kit expert and security researcher Kafeine said the zero day discovered by FireEye has already been integrated into the Angler Exploit Kit, as well as the Metasploit Framework. The first zero-day uncovered in the hack was also quickly incorporated into popular exploit kits.
Today’s Flash update, 18.0.0.209, patches versions 18.0.0.203 and earlier for Windows and Macintosh systems, and 18.0.0.204 and earlier for Linux machines.
The Hacking Team hack was disclosed on July 5 when seemingly all of the company’s internal email, product specs and sales data was posted at numerous sites. Despite company policy stating the contrary, invoices and sales receipts found in the post-breach data dump show that Hacking Team sold its Remote Control System (RCS) tool to sanctioned countries run by oppressive governments, such as Sudan and Ethiopia. Hacking Team said it has ended its business relationships with these countries. RCS is sold to law enforcements and government agencies worldwide as a monitoring tool.
Yesterday, Hacking Team renewed its vow to press on as a company and rebuild not only its infrastructure, but RCS from scratch.
“A totally new internal infrastructure is being [built] at this moment to keep our data safe. Of course, our top priority here has been to develop an update to allow our clients to quickly secure their current surveillance infrastructure,” said Hacking Team chief operating officer David Vincenzetti in a statement. “We expect to deliver this update immediately. This update will secure once again the ‘Galileo’ version of Remote Control System.”
Adobe today also patched 46 vulnerabilities in Adobe Reader and Acrobat, and two in the Shockwave Player.
The Reader and Acrobat updates patch a number of code execution vulnerabilities, in addition to information disclosure, denial-of-service, and privilege escalation vulnerabilities in versions 11.0.11 and 10.1.14 and earlier for Windows and Macintosh machines.
The Shockwave update addresses two memory corruption bugs that lead to code execution in versions 12.1.8.158 and earlier, Adobe said.