More security flaws in Adobe Flash have been uncovered following an analysis of code released as a result of the successful attack on Hacking Team, the company that built hacking applications for government agencies around the world.
It follows the rushed release of patches last week to rectify security flaws uncovered after an initial analysis of the code of Hacking Team’s government-approved malware.
Adobe has categorised the security flaws, CVE-2015-5122 and CVE-2015-5123, as “critical vulnerabilities” and promised that patches for the Adobe Flash Player on Windows, Mac and Linux platforms will emerge this week. “Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly,” it admitted.
Security software company Trend Micro described CVE-2015-5123 as a “BitmapData remote code execution vulnerability” in a blog post describing the flaw.
Adobe has been fiercely criticised for years for the poor security of two of its key products, Adobe Acrobat Reader and Adobe Flash. Both applications are almost ubiquitous, and users have been urged to either uninstall them or, at least, to make them “click to play” in their web browser settings.
While individuals building and disseminating the kind of offensive intrusion and surveillance software would be arrested and, potentially, extradited to the US, Hacking Team built a business around it by selling such applications direct to governments and government agencies around the world.
Its software exploited flaws in popular and widely used software in order to help government agencies to target individuals – some time for legitimate law enforcement operations, but more often the company’s software was bought by security services and targeted against journalists, political dissidents and other law-abiding people by repressive governments.
Hacking Team included the intelligence services of Saudi Arabia, Morocco, Turkey, Oman, Egypt, Russia, Azerbaijan and Thailand among its customer base, as well as the Federal Bureau of Investigation (FBI) in the US, and government agencies in Italy, Spain, Hungary and Singapore.