The use-after-free flaw was discovered within the Hacking Team emails Credit: Michael Hiemstra On Tuesday, as part of their monthly updates, Microsoft released a fix for Internet Explorer that addresses twenty-nine different vulnerabilities. One of them is a previously unknown vulnerability offered up to Hacking Team that researchers discovered in the company’s leaked emails.Hacking Team, an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies, suffered a serious breach last week that led to the release of 400GB of data.The leaked files included source code, sales contracts, corporate emails, and more. The incident has already resulted in three patches from Adobe, and now Microsoft has addressed flaws in its software that were being offered to the company by developers.According to Vectra Networks, the vulnerability fixed by Microsoft impacts fully patched versions of Internet Explorer 11 on both Windows 7 and Windows 8.1. The problem is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, Vectra said in a blog post, it could allow an attacker to bypass protections found in standard memory.The vulnerability was discovered when Vectra researchers noticed an email from someone attempting to sell a proof-of-concept exploit to Hacking Team. “The email described an exploitable use-after-free bug in IE 11. While Hacking Team declined to buy the PoC, the email gave enough information for Vectra researchers to find and analyze the bug. After approaching Hacking Team, the researcher may have gone elsewhere to sell the bug, and if successful it may have been exploited in the wild,” the company explained.It’s worth mentioning that Microsoft credits Vectra Networks, Trend Micro, and FireEye with the discovery of CVE-2015-2425, but Vectra has stated the flaw they discovered was a use-after-free vulnerability in IE’s JScript engine (CVE-2015-2419). Either way, both vulnerabilities were patched in the same bulletin.The Vectra blog post contains additional details on the flaw, and the email it came from. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe