Hacking Team data leak result of Adobe Flash Zero day vulnerability

If you’ve seen any security news this last week then it will have been impossible to miss the fact that Italian security company Hacking Team suffered a breach. The implications of this are huge, largely because of their, previously classified, customer base. It was revealed that they’ve sold sophisticated spyware tools to countries such as Sudan, Bahrain, Ethiopia and Saudi Arabia. The FBI was also added to the customer list, along with Spain, Australia, Chile and Iraq. 400GB of data was exfiltrated in total, with the company’s Twitter account also being hacked and used to announce the leak. The breach also revealed Hacking Team were exploiting an Adobe Flash zero day vulnerability in their spyware, along with a Microsoft Windows Kernel vulnerability. Things for Adobe then also got a bit messy….

3 Adobe Flash vulnerabilities found within a week!

Following the initial discovery of the zero day as a result of the Hacking Team breach, a vulnerability which they’d been exploiting in their malware products, researchers found a further two zero day vulnerabilities within the same dumping of the Hacking Team data. No further details of the exact vulnerabilities have been released and it’s been confirmed that Adobe are working on patches for all three, which should soon be available. However, some security experts are advising users to remove Flash in the meantime. Brian Krebs has gone so far as to have got rid of it over a month ago and claims he hasn’t missed it in the slightest. Besides the rash of vulnerabilities, Adobe has also had some bad press from some big-name critics….

Flash under attack from Facebook and Firefox

As if Adobe’s week couldn’t get any worse, Facebook’s new Chief Security Officer Alex Stamos then used the controversy to make his own opinions clear, tweeting ‘It’s time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day’. A killbit is a Microsoft functionality used to instruct an ActiveX container not to run a particular software. Here it’s being used to refer to all browsers no longer allowing Flash but killbit is specific to Microsoft and Explorer. Naturally this stirred some debate, with some arguing in favor of Flash and others stating that it has indeed had its day. It’s undeniable that HTML5 is the new standard and capable of handling just the type of interactive content that Flash and Java applets were previously required for. We’re yet to hear Adobe’s thoughts on the matter but it’s definitely a viable option that Flash could be laid to rest.

Java zero day reported, users advised to disable Java

Flash wasn’t the only technology under attack this week, the same company who found one of the Flash vulnerabilities also discovered a zero day in the latest release of Java. Oracle are reportedly working on a patch but this vulnerability is already being exploited in the wild and used to target organizations such as NATO and US defense agencies. ‘Pawn Storm’ are cyber espionage hacking outfit being blamed for the exploits. Until a patch is rolled out, users are being advised to disable Java.

Whatsapp and other messengers using encryption could be banned under new UK legislation

One of the other big stories this week came courtesy of the UK government and their new ‘Investigatory Powers Bill’. Fairly hot-on-the-heels of Obama’s new cyber security proposals and increased spending, this UK bill is basically a rehashed version of the Draft Communications Data Bill which was unsuccessful in 2012. Basically, in a manner echoing the initial US response, David Cameron’s government want to clamp down on terrorist communications and the matter of encryption is presenting them with a huge barrier. Naturally, IT and security experts have blasted this bill in a similar way to the US proposals of encryption ‘backdoors’ with specialists at MIT stating that the removal of encryption would “Raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm”. This is a fact which is difficult to argue with, cyber-attacks have been big news in the last twelve months.

Essentially, the UK government don’t want anyone to be able to talk to each other without them being able to intercept and basically spy on the communications, they cite incidents such as the London bombings and the recent Tunisia tourist attack. If this did go ahead, messengers such as Whatsapp and anything else using encryption could become illegal in the UK. We can expect further news in the coming months as the Investigatory Powers Bill is put before parliament.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.