Adobe is working to fix a vulnerability in its Flash software which only came to light following the security breach at Hacking Team.
Hacking Team provides cyber surveillance software to government intelligence agencies around the world, but was itself the victim of a cyber attack this week. Among the data stolen from company networks was information related to a flaw with Adobe Flash software, writes Chris Foxx for The BBC.
Stolen information posted online
Hackers stole data from the Italian firm on Sunday, and posted some of it online. Among the information was data related to a security flaw with Flash player, which Hacking Team had not yet told Adobe about.
According to one security blog, hackers “immediately weaponized” the bug. “This is one of the fastest documented cases of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by the Hacking Team,” wrote Jerome Segura from Malwarebytes.
In total, 400GB of stolen data ended up online. The security flaw was described as “the most beautiful Flash bug for the last four years” by Hacking Team, and it was quickly put to use by other hackers.
Three hacking kits related to the bug have already been published by cyber attackers, according to security software company Trend Micro, and it seems strange that Hacking Team would not have immediately informed Adobe about the discovery of such a flaw.
Hacking Team withheld information from Adobe
Bharat Mistry, cybersecurity expert at Trend Micro, criticized Hacking Team for its actions. “When you know the severity of a flaw, there’s a duty to disclose it to the software vendor,” he said.
“Maybe they saw this as an avenue they could use for their own purposes and wanted to keep it under wraps. But Flash has a big presence on the web. There is mass potential for this bug to be exploited by criminals,” continued Mistry.
A huge number of computer users run Adobe Flash software, and the flaw was a serious one. Adobe has since confirmed that the bug could “cause a crash and potentially allow an attacker to take control of the affected system.”
The flaw is present in Flash 22.214.171.124 and earlier versions for Windows, Macintosh and Linux operating systems. Adobe has reassured users that a patch will be released this Wednesday to close the security breach.
As if it was not embarrassing enough for Hacking Team to fall victim to a cyber attack, it appears that the company was withholding important security information.