Adobe patches Hacking Team’s zero-day Flash flaw being exploited in the wild

Don’t twiddle your thumbs or otherwise procrastinate, update Flash Player now as the Hacking Team’s zero-day is being actively exploited in the wild. Whether you use Windows, Mac or Linux, it’s a critical vulnerability and “all Flash Player users are at risk.” Adobe warned that a “successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”

“Go stealth and untraceable; hit 100,000 targets at once,” the Italian Hacking Team previously claimed while advertising its “lawful” surveillance malware. Well now, since so many folks use Adobe Flash Player, that would be a great way to accomplish mass infections for mass surveillance, as would exploiting a Windows kernel flaw. But cybercriminals who might have been possible victims of the Hacking Team’s malware are probably immensely grateful now as they wasted no time before jumping on the leaked exploits after the Hacking Team became the “Hacked Team.” Malwarebytes blogged, “This is one of the fastest documented case of an immediate weaponization in the wild, possibly thanks to the detailed instructions left by Hacking Team.”

The Malwarebytes blog and a security researcher that goes by Kafeine warned that the Flash zero-day was in the wild and had already been rolled into Angler, Neutrino, and Nuclear kits. Don’t expect it to end there, as Metasploit released a module with the Hacking Team’s Flash exploit.

It’s “the most beautiful Flash bug for the last four years,” bragged the ‘readme’ file for the Hacking Team’s Flash flaw. Not everyone would agree, including CERT at Carnegie Melon, but if you’d like to avoid being a victim of ransomware, then update Flash Player now. Already Trend Micro has identified CryptoWall 3.0 ransomware being spread as a payload “particularly by the Angler exploit kit.”

“The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel,” Trend Micro reported. Elsewhere, Bruce Schneier suggested the “Hacking Team had no exploits for an un-jail-broken iPhone. Seems like the platform of choice if you want to stay secure.”

You can go here to determine what version of Adobe Flash Player you are using; Adobe released a security advisory yesterday and released Flash 18.0.0.203 today to resolve the flaw that is being exploited in the wild. If that’s not the version you have, then grab the latest version released as an emergency Flash patch thanks the Hacking Team’s data dump. You might also consider enabling click-to-play for Flash.

Security firm Bromium Labs analyzed the flaw, then said, “Out of the box, this exploit comes with shellcode for Windows (both 32 and 64 bit) and Mac OSX (64 bit only). According to the documentation present in the dump, this exploit should work with every version of Flash Player from version 9 until 18.0.0.194. We’ve got it working internally with Flash Player 18 and Internet Explorer, which indicates this it is clearly a zero day risk to internet users today.”

Back in 2012, Bromium Labs security researcher Jared DeMott was awarded third prize in Microsoft’s BlueHat competition. In 2014, DeMott blew past all protections provided by Microsoft’s EMET anti-exploitation tool – a tool that many believe can stop attackers from exploiting zero-days. Yesterday, regarding the Hacking Team’s Flash exploit, Bromium Labs pointed out, “Given legitimately sophisticated shellcode and mitigation bypass techniques similar to the ones documented by Bromium researcher Jared DeMott, this exploit has the potential to completely own almost any system that it hits.”

‘Zero days’ and the Wassenaar Arrangement

There’s been a great deal of confusion and concern in the security community since the Department of Commerce’s Bureau of Industry and Security (BIS) proposed changes to the Wassenaar Arrangement. It’s a murky mess that could cause fallout in responsible vulnerability disclosures and researchers collecting bug bounties. If the changes are aimed at black hat hackers, then what category is the Hacking Team since it profits from the sale of surveillance malware?

Furthermore, on Carnegie Mellon University’s CERT blog, Allen Householder came out against using the terminology “zero-day,” saying that even trying to define “zero-day exploit” is like trying to “nail jelly to the wall.” Although people keep using “phrases like ‘zero-day vulnerability,’ ‘zero-day exploit,’ or simply ‘zero day’ or ‘0day’,” Householder said, “I don’t think it means what you think it means.”

“The BIS proposed rules,” Householder wrote, “specifically refer to zero-day exploit capability.” He then quoted numerous respected security definitions dealing with zero-days and no two were alike. Even now a UK ethical hacking student has censored his EMET bypass dissertation due to the Wassenaar Arrangement; yet his research can allegedly blow right past Microsoft’s EMET tool. If it was made public and then patched, wouldn’t everyone who uses it be safer?

If the Wassenaar Arrangement is like “an arms control treaty that could land security researchers in jail,” then researchers might not come forward; critical security holes might not get patched; the networked world as a whole would suffer. Security-minded individuals who care about these issues need to submit comments by July 20.

Hacking Team Sweeper and detekt

For right now, if you have the right skills, please consider contributing to Hacking Team Sweeper before Hacking Team clients remotely delete evidence from targets’ computers. When identified, the surveillance malware could help tools like detekt which in turn can help people know if they have the surveillance malware on their devices.