This latest piece of news regarding both the controversial Italian security company Hacking Team and the poor Adobe with its Flash software is at the same time good and bad. Or it can be bad and bad, depending on your point of view.
Anyway, as we already know, Hacking Team recently got a taste of its own medicine, when more than 400GB of its data, including email communication and operations were stolen and posted online.
It was unveiled that the company sold cyber weapons to Sudan, as well as spying tools to Malaysia, just to name a few. But the latest data leak shows two unpached zero-day vulnerabilities in Adobe Flash, and they’re most likely already being folded into exploit kits as Adobe prepares its answer.
“Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines,” The Register reported on Sunday.
Vulnerabilities affect Windows, Linux and OS X systems.
“The use-after-free() programming flaws, for which no patches exist, are identified as CVE-2015-5122 and CVE-2015-5123. They are similar to the CVE-2015-5119 Flash bug patched last week. The 5122 and 5123 bugs let malicious Flash files execute code on victims' computers and install malware. The bugs are present in the Windows, Linux and OS X builds of the plugin.”
Everyone with Flash installed should remove or disable the software until the critical security bugs are patched, or at least enable "click to play" in their browsers so that you know exactly what you're running on your system rather than letting websites play malicious Flash files silently in the background without warning or permission.
Adobe said the newly discovered flaws will be patched sometime this week.
Now that these vulnerabilities are out in the open, they can be patched. That’s the good part of the story.