The recent hack on the Italian software surveillance firm Hacking Team was partially done through a vulnerability in Flash, and now Adobe is working in fifth gear, trying to release a fix as soon as possible.
As security firm Trend Micro wrote in a blog post recently (opens in new tab), a total of three exploits were found, one of which was already patched.
„The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.“
„One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number,“ Trend Micro writes.
The 'most beautiful bug' is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory.
The vulnerability's proof-of-concept shows how the flaw can be exploited to open the Windows calculator, download and execute arbitrary malicious code on a victim's PC.
The vulnerability, which bypasses the Windows Control Flow Guard security system, affects Adobe Flash Player 9 or higher.
Adobe yesterday revealed (opens in new tab) that the critical vulnerability has now been assigned a CVE number (CVE-2015-5119).
"Adobe is aware of reports that an exploit targeting this vulnerability has been publicly published," the firm says.
The Italians were hacked recently, and the attacker walked away with some 400GB of internal data. The data has shown, among other things, that the company sold cyber weapons to Sudan.