The recent attack on The Hacking Team ended up revealing previously unknown exploits in different software.
One of the more urgent of the exploits is found in Adobe Flash. As CNET described it:
The most critical vulnerability, described by Hacking Team in the information dump as the "most beautiful Flash bug for the last four years," is a ByteArray class user-after-free (UAF) vulnerability which can be used to override PC functions, change the value of objects and reallocate memory.
The vulnerability's proof-of-concept shows how the flaw can be exploited to open the Windows calculator, download and execute arbitrary malicious code on a victim's PC.
Adobe, which has been known to drag its feet when it comes to addressing vulnerabilities, has acted quickly here, already releasing a patch. But is it too late? According to Computerworld, cyber criminals started taking advantage of the exploit almost immediately:
According to a researcher known online as Kafeine, the leaked Hacking Team exploit has already been integrated into three commercial exploit kits: Angler, Neutrino and Nuclear Pack.
A Malwarebytes blog added that, thanks to the details revealed in the Hacking Team hack:
This is one of the fastest documented case of an immediate weaponization in the wild.
Unfortunately, this may be the tip of the iceberg. There are likely many more vulnerabilities that The Hacking Team knew about but didn’t disclose, Grayson Milbourne, security intelligence director at Webroot, told me in an email comment. And this, Milbourne added, leads us to another problem: Those who discover exploits often have little motivation to disclose them to the software authors. He said:
While yes, there are some White Hats out there, and some companies (Google especially) have bounty programs to encourage the disclosure of these flaws, the vast majority of exploits are discovered for malicious purpose. And it isn’t just hackers who are discovering these exploits, governments are too as many APT analysis shows the widespread usage of zero day exploits in their attacks.
It’s proof, yet again, that the Internet is a risky place, and if we want to keep our systems safe, we have to depend on ourselves to practice better security. Like Milbourne told me, it’s great that Adobe produced a patch so quickly, but that patch isn’t going to keep anything secure if users aren’t updating the software when prompted.
I expect there will be more reports of urgent updates in the coming days and weeks, directly resulting from this one hack.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba