Number: IRCNE2015072565
Date: 2015/07/10
According to “zdnet”, Adobe is rapidly creating a fix for a critical vulnerability affecting Flash Player which was only discovered after a hacker broke into Hacking Team's systems.
Servers belonging to surveillance firm Hacking Team were infiltrated over the weekend. In an attack the company called "sophisticated" which "took days or weeks to accomplish," a hacker walked away with over 400GB of corporate data.
Customer service history, financial reports, emails and exploit source code are only some of the files which have been scrutinized. Researchers, journalists, activists and other interested parties are delving through the stolen data, which has now grown beyond a single torrent and is available via mirrors, .onion addresses on the Tor network and through magnet links.
On Tuesday, Trend Micro researchers discovered a number of exploits and their coding as part of the data dump. Two of the exploits impact on Adobe Flash, while the other targets the Windows operating system.
The most critical vulnerability, described by Hacking Team in the information dump as the "most beautiful Flash bug for the last four years," is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory.
The vulnerability's proof-of-concept shows how the flaw can be exploited to open the Windows calculator, download and execute arbitrary malicious code on a victim's PC.
The vulnerability, which bypasses the Windows Control Flow Guard security system, affects Adobe Flash Player 9 or higher.
Adobe says a patch will be available on July 8.
- 9