Flash Zero Days Abound

Monday, July 13, 2015 @ 04:07 PM gHale

Adobe issued an emergency update for Flash Player to patch a Zero Day vulnerability whose existence came to light after hackers breached the systems of surveillance software maker Hacking Team. At the same time researchers found three more Zero Days affecting Flash.

The first big Flash Player vulnerability (CVE-2015-5119), related to the ActionScript 3 ByteArray class, allows a remote, unauthenticated attacker to execute arbitrary code on vulnerable systems.

Espionage Group Leverages Flash Zero Day
Adobe Patches Flash Zero Day
Adobe Fixes Flash Player Vulnerabilities
Flash Vulnerability Fixed, then Exploited

Cybercriminals included the vulnerability into the Angler, Neutrino and Nuclear Pack exploit kits shortly after its existence came to light.

The vulnerability affects Flash Player and earlier versions. Adobe patched the bug with the release of Flash Player

Users who update their installations to the latest version should end up protected against attacks involving the exploit kits.

Hacking Team has likely used this Flash Player Zero Day to deploy its surveillance software on targeted systems. Proof-of-concept (PoC) code discovered in the leak describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”

This isn’t the only Zero Day exploit found in the Hacking Team leak. Researchers found a less serious Windows kernel bug related to the open font type manager module provided by Adobe. Microsoft is working on a patch for this issue.

Attackers leaked 400GB of data obtained from Hacking Team’s systems, including emails, software, source code, and various types of documents. The exposed files appear to show despite denials, the Italian spyware maker has been working with countries such as Sudan, Ethiopia, the UAE, Saudi Arabia, Bahrain, Nigeria, Kazakhstan and Uzbekistan.

Hacking Team has confirmed its systems ended up breached, but it has not commented on the authenticity of the leaked files. A member of the European Parliament wants an investigation of the company.

In addition, there are two more Zero Days in Flash. CVE-2015-5122, reported by FireEye researcher Dhanesh Kizhakkinan, is well done and uses constructs for exploiting the Use-After-Free vulnerability in DisplayObject similar to those used in the PoC for CVE-2015-5119 by the same author.

Also, CVE-2015-5123 ended up reported by Trend Micro threat analyst Peter Pi and a security researcher that goes by slipstream/RoL.

It took less than a day for the exploit for the previous Flash Player vulnerability (CVE-2015-5119) to make it into popular exploit kits. The same is true for the CVE-2015-5122 exploit as it is now in the Angler exploit kit.