Adobe Patches Critical Hacking Team Zero-day Breach

By CIOReview | Monday, July 20, 2015
861
1454
298

FREMONT, CA:  Adobe recently acknowledged existence of two new critical security flaws which have affected Flash Player, and has kept Adobe on its feet to protect their users from zero-day vulnerabilities.

Adobe, provider of the Flash Player software which is used to stream video content across the web usually has a monthly patch update to fix security flaws as and when they are discovered. But due to a cyber-attack on surveillance and spyware firm Hacking Team's servers, Adobe is now working to fix vulnerabilities which, until now, have not been made public.

Adobe issued a fix for a, zero-day vulnerability (CVE-2015-5119) which was undetected until the attack on Hacking Team's servers. The previously unknown vulnerabilities of the cyber-attack led to the theft of 400GB in corporate data, emails, financial reports and exploit source code that hackers published recently after rooting the servers of Hacking Team, the Italy-based company that sold spyware and exploits to governments around the world, reports Charlie Osborne for zdnet.com.

As previously reported, the Hacking Team itself was hacked by unknown individuals, who then published e-mails, sales invoices, and marketing material that appeared to contradict long-standing assurances from company executives that they operated ethically and didn't do business with repressive governments.

The two Flash vulnerabilities (CVE-2015-5122 and CVE-2015-5123) unearthed recently are in addition to a third one(CVE-2015-5119) which was found earlier in the Hacking Team dump, which Adobe patched, a few days after it was discovered. All three critical vulnerabilities were present in Flash versions for Windows, Mac OS X, and Linux. At least one of them was potent enough to pierce the vaunted Google Chrome security sandbox, most likely because it was combined with a separate privilege-escalation exploit for Windows, reports Dan Goodin for arstechnica.com.