Hacking Team leak releases potent Flash 0day into the wild

Researchers sifting through the confidential material stolen from spyware developer Hacking Team have already uncovered a weaponized exploit for a currently unpatched vulnerability in Adobe Flash, and they also may have uncovered attack code targeting Microsoft Windows and a hardened Linux module known as SELinux.

Hacking Team documentation accompanying the Flash exploit said it targeted "the most beautiful Flash bug for the last four years," according to a blog post published Wednesday by researchers from antivirus provider Trend Micro. The use-after-free flaw resides in a Flash Bytearray object. Researchers at competing AV company Symantec have confirmed the existence of a Flash exploit that works against the latest version of Flash (18.0..194). They also have confirmed it works against people viewing content with Internet Explorer, and it's presumed it will work against other browsers as well.

"Symantec has confirmed the existence of a new zero-day vulnerability in Adobe Flash which could allow attackers to remotely execute code on a targeted computer," they wrote in a blog post published Tuesday. "Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued."

An Adobe spokeswoman said company officials are aware of the finding and expect to release a fix on Wednesday. The officials have no indication the vulnerability is being actively exploited at the moment. The zeroday was one of two Flash exploits Trend Micro researchers reported finding, with the other one targeting a vulnerability cataloged as CVE-2015-0349, which Adobe patched in April. Until a fix is installed, readers should consider disabling Flash, particularly when browsing websites they are unfamiliar with.

Separately, there was a report on Twitter from a well-known exploit broker of a separate zeroday in the Windows kernel. An English translation of a technical analysis of the exploit leaked from Hacking Team, which is available here, indicates the vulnerability is in every version of Windows since Windows XP. The so-called escalation of privileges exploit could be used in combination with another exploit to increase an attacker's access to a targeted machine.

Users on Reddit also reported finding a previously unknown vulnerability in SELinux and cited this Github repository, which appeared to suggest the exploit could be used against Android phones, which incorporate the Linux module. SELinux developers have yet to weigh in on the reports.

The exploits can be used to surreptitiously install Hacking Team surveillance software, or other types of malware, on vulnerable computers with little or no indication anything is amiss. If the exploits leaked from the colossal Hacking Team breach are limited to two or three unpatched vulnerabilities in Flash, Windows, and SELinux, the resulting damage will be much less severe than it might have been. Still, with 400 gigabytes of data to digest, there may yet be other surprises to find.