Leaked Hacking Team data discloses that hackers exploited unpatched Adobe Zero-day

The recent cyber attack that uncovered 400GB of corporate data affiliated to Hacking Team, a surveillance software firm has disclosed that the spyware company have already found out an exploit for an unpatched zero-day susceptibility in Flash Player.

Trend Micro security researchers state that the leaked data stolen from Hacking Team, a company known to sell surveillance tools and communication interception, have a number of unpatched and unreported Adobe flaws.

The researchers while examining the leaked data dump found at least three software exploits – two for Adobe Flash Player and one for Microsoft’s Windows kernel.

Out of two, one of the Flash Player susceptibilities, known as Use-after-free vulnerability with CVE-2015-0349, has already been patched.

However, the Hacking Team described the other Flash Player exploit, which is a zero-day exploit with no CVE number yet, as “the most beautiful Flash bug for the last four years.”

US-CERT has issued an advisory (VU#561288) regarding the unpatched Adobe Flash use-after-free zero-day susceptibility in the ActionScript 3 ByteArray that lets a remote attacker to execute arbitrary code on a targeted system, which in turn lets him to take full control of it.

“An attacker can execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a website containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document,” the advisory states.

“The CERT/CC is currently unaware of a practical solution to this problem.”

According to Adobe, the ByteArray class can be used by advanced developers who require to access data on the byte level, and offers methods and properties to make the best use of reading, writing, and working with binary data.

Uses include:

  • Creating a custom protocol to connect to a server
  • Writing your own URLEncoder/URLDecoder
  • Writing your own AMF/Remoting packet
  • Optimizing the size of your data by using data types
  • Working with binary data loaded from a file

Adobe Flash Player versions 9.0 through version 18.0.0.194 are affected by the susceptibility. However, a Flash zero-day proof-of-concept (POC) exploit code was discovered by the researchers, which after successful testing worked on the most recent, fully patched version of Adobe Flash (version 18.0.0.194) with Internet Explorer.

Successful exploitation of the zero-day Flash susceptibility could cause a system crash, possibly allowing a hacker to take full control of the affected system.

All major web browsers are affected by the zero-day susceptibility, which includes Google’s Chrome, Mozilla’s Firefox, Microsoft’s Internet Explorer and Apple’s Safari as well.

No active exploits of the susceptibility have been noticed by the researchers as of yet. However, as the details of the susceptibility are now made public, it is possible that cybercriminals will make an attempt to quickly exploit the flaw before a patch is issued.

“To defend against this and other, as yet unknown vulnerabilities, disable Flash in your browser or enable Click-to-Play features,” the advisory says.

“The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control.

LEAVE A REPLY

Please enter your comment!
Please enter your name here