Hacking Team Breach Reveals Two New Critical Flash Zero-Day Exploits
Two more Flash Zero-Day exploits were reported over the weekend, thanks to the deluge of documents leaked from the Hacking Team, the Italian company famous for supplying hacker tools to the world.
Adobe is planning to release a patch for each of the bugs, dubbed CVE-2015-5122 and CVE-2015-5123, on its Web site later this week. The company said both updates are critical.
Cybersecurity companies FireEye and Trend Micro were responsible for discovering the two exploits, which were detailed in the 400 GB of corporate data that was released in the leak of Hacking Team’s documents earlier this month. The two vulnerabilities exist in the Windows, Microsoft, and Linux versions of Flash Player 126.96.36.199 and earlier.
The Hits Keep Coming
Reports of new security flaws in the Flash Player software are hardly new. In fact, the two reports come after Adobe issued yet another security patch for Flash Player last week to address another flaw that had been exploited by the Hacking Team and had been quickly adopted by hackers worldwide.
FireEye said that the latest exploit, CVE-2015-5122, was even authored by the same person as last week’s reported bug, CVE-2015-5119, both of which it said were well written. Both threats take advantage of the same basic strategy, exploiting the use-after-free vulnerability in DisplayObject.
The vulnerability is triggered by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. Once the exploit has been triggered, the malicious code could either cause a system crash or allow an attacker to take control of the affected system.
Poses a Risk to Users
The second vulnerability, CVE-2015-5123, discovered by Trend Micro, affects all versions of Adobe Flash Player in Windows, Mac, and Linux. Like CVE-2015-5122, this exploit could also allow an attacker to take control of a user’s system.
The CVE-2015-5123 vulnerability exploits the valueOf trick bug. However, compared to the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray. Triggering the vulnerability involves creating a new BitmapData object, preparing two Array objects, two MyClass objects and assigning the MyClass objects to each Array.
Once it has overridden the valueOf function of MyClass, it calls the BitmapData.paletteMap with the two Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function. In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.
“We are currently monitoring this proof-of-concept for any active attacks that may employ this zero-day exploit,” Trend Micro said in a blog post announcing the discovery of the vulnerability. “Considering that the Hacking Team leak is publicly available already, it poses risks to users.” The company said that the best thing to do until Adobe releases a patch is to completely disable Flash Player.
Posted: 2015-07-13 @ 3:51pm PT
Another week, another Adobe Flash bug. This is no longer funny. I am uninstalling Flash.