Adobe is reporting a critical vulnerability in its popular Flash Player. The software company on Tuesday revealed nearly all versions of the player for Windows, Macintosh and Linux are at risk.
This zero-day vulnerability is especially critical, given Trend Micro’s March warning about the troubling combination of exploit kits and malvertising. The security firm warned that zero-day exploits are now being deployed in malicious ads right away, instead of first being used in targeted attacks against enterprises.
And this relates directly to Adobe. Trend Micro reported two of the recent Adobe Flash zero-days (CVE-2015-0311 and CVE-2015-0313) were delivered to end users via malvertisements, putting the masses at risk.
In the new vulnerability, Adobe said successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe said an exploit targeting this vulnerability has been published publicly. On Tuesday, the firm said a patch should be available July 8.
But there’s a bigger story to tell. The flaw was made public after the Hacking Team was hacked. The Italian company has made a name for itself helping governments and intelligence agencies spy on people. But now the tables have apparently been turned as the team’s private documents have been exposed online.
As part of the attack, hackers sent a tweet from the Hacking Team’s twitter account that offered a link to 400 GB of the company’s source code, e-mails and internal files. The Adobe Flash flaw was part of that disclosure. Adobe has not publicly commented on the correlation but security analysts at Malwarebytes quickly connected the dots.
“Without a doubt cybercriminals have already got their hands on it and will integrate it in their exploit kits soon,” said Jerome Segura, a senior security researcher at Malwarebytes. “This is one of the fastest documented cases of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by Hacking Team.”
Zero-Day Market Thriving
We turned to Ken Westin, senior security analyst for advanced threat detection firm Tripwire, to get his thoughts on the new Flash threat. He told us the market for zero-day vulnerabilities is alive and well and, as the Hacking Team breach has revealed, is also highly profitable.
“As many governments move to try and control malware and offensive security tools, some have been caught with their own hands in the cookie jar, leading many to wonder how and why governments and agencies listed as Hacking Team clients are using these tools and if they are doing so lawfully,” Westin said.
Given the depth and amount of data compromised in this breach, it will reveal a great deal about the market for offensive tools designed for espionage with a great deal of fallout and embarrassment for some organizations, he added.
Source: News Factor