Skip to main content

Major Adobe Flash security flaw discovered in Hacking Team leak

Major Adobe Flash security flaw discovered in Hacking Team leak

Share this story

Spyware company Hacking Team was compromised earlier this week, leading to 400GB of internal files, source code, and emails being made available on torrent sites for anyone to download. While there’s some embarrassing communications contained within the leak, some serious software flaws have also been discovered. The Register reports that some source code contained within the leak includes software vulnerabilities that are being exploited by Hacking Team to break into PCs. At least one of the vulnerabilities has been patched by Adobe; users are advised to update Flash as soon as possible.

Another day, another Adobe Flash vulnerability

Two vulnerabilities have been discovered, affecting Adobe’s Flash software and Microsoft’s Windows operating system. Hacking Team describes the Flash flaw as "the most beautiful Flash bug for the last four years," suggesting that the company may have been using this to access people’s machines for quite some time. The vulnerability itself allows malicious attackers to execute code on a victim’s machine through a website. It affects Windows, OS X, and Linux, and can be used against browsers like IE, Firefox, Chrome, and Safari. Hacking Team appears to have used this hole to install its own exploit kits and monitor or remotely control PCs. Adobe is now aware of the vulnerability and a patch has been issued, but given the vast amount of security issues with Flash over the years it's advisable to move away from using the software if you're able to.

The second vulnerability affects an Adobe font driver in Windows. All 32-bit and 64-bit versions of Windows are affected from Windows XP through to Windows 8.1, according to researchers. The flaw itself lets attackers elevate their privileges on a machine to administrator level. Combined with the Adobe Flash exploit, it’s a powerful way to hijack a PC. "We believe the overall risk for customers is limited, as this vulnerability could not, on its own, allow an adversary to take control of a machine," says a Microsoft spokesperson. "We encourage customers to apply the Adobe update and are working on a fix."

7/8 11:44am ET: Updated with news of Adobe's patch.