Adobe is racing out a patch to fix a flaw in Flash Player that was secretly used by Italian surveillance software outfit Hacking Team — until details of it were leaked on Sunday.
The surprise patch for Flash Player will be released on Wednesday to close a flaw that was being used by the Hacking Team as part of a 'lawful intercept' package it sold to governments around the world to spy on targets.
The Hacking Team has gained notoriety among privacy advocates as a company that sells surveillance malware to governments with questionable human rights records, including agencies from Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia and Sudan. According to the leaked documents, it also at one point sold its software to the Australian Federal Police.
An Adobe spokeswoman confirmed to CSO Australia that the fix being delivered was to address a flaw that was discovered on Monday by security researchers who were poring over a 400GB trove of data leaked from the Italian firm on Sunday.
Flaws in Flash Player, along with Adobe Reader, Java and numerous Microsoft products are prized among hackers due to their ubiquity on computers. But fixes can often take months to deliver for affected products, often involving a degree of haggling between researchers who have found them and the vendor of the affected product.
The fix will be an important one for users to apply, in particular now that details of it have been published.
Trend Micro, one of the security firms that discovered the Flash flaw among the Hacking Team’s lost files, noted that the Italian vendor described the exploit as “the most beautiful Flash bug for the last four years.”
Rival security firm Symantec also confirmed the existence of the zero-day flaw, speculating that since details were public other attackers would move to exploit it before Adobe had issued a patch.
Symantec had warned that “it can be expected that groups of attackers will rush to incorporate it into exploit kits before a patch is published by Adobe.”
The swift patch from Adobe will minimise the potential threats to users of Flash Player and will go some way to neutralising recommendations for users to temporarily disable Flash in their browsers. Despite Adobe's rapid response, hackers are still likely to integrate the flaw into exploit kits to take advantage the portion of users who are slow to update vulnerable software.
Adobe has rated the vulnerability as critical. The flaw now has the official identifier CVE-2015-5119, which Adobe confirmed affects Adobe Flash Player 18.104.22.168 — the new version — and earlier versions for Windows, Macintosh and Linux.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” it said in a security bulletin.
“Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015,” it added.
The company credited Google’s squad of expert hackers in its Project Zero team and independent security research Morgan Marquis-Boire for reporting CVE-2015-5119.
This article is brought to you by Enex TestLab, content directors for CSO Australia.