Earlier this week news hit the web that security firm Hacking Team fell victim to a hacking attack that resulted in the theft of over 400GB of data. The firm provides malware tools to government and law enforcement agencies all over the world, including to repressive regimes.
Now we learn that the hack of security firm Hacking Team also resulted in the leak of a dangerous zero-day Flash vulnerability that's already being abused by three exploit kits. Adobe is expected to release a patch today or on Thursday, in the meantime it may be a smart idea to disable Flash in your browser(s).
Researchers sifting through the confidential material stolen from spyware developer Hacking Team have already uncovered a weaponized exploit for a currently unpatched vulnerability in Adobe Flash, and they also may have uncovered attack code targeting Microsoft Windows and a hardened Linux module known as SELinux.
Hacking Team documentation accompanying the Flash exploit said it targeted "the most beautiful Flash bug for the last four years," according to a blog post published Wednesday by researchers from antivirus provider Trend Micro. The use-after-free flaw resides in a Flash Bytearray object. Researchers at competing AV company Symantec have confirmed the existence of a Flash exploit that works against the latest version of Flash (18.0..194). They also have confirmed it works against people viewing content with Internet Explorer, and it's presumed it will work against other browsers as well.