What you need to know about the Hacking Team Flash Zero Day

by Christopher Budd

There has been a lot of discussion in the past few days about the successful attack against the Hacking Team in Italy and the release of their data as a result of that attack.

The most important thing that people need to be aware of is that this attack has resulted in the public disclosure of another, new, vulnerability affecting Adobe Flash. When the vulnerability was disclosed there was no patch available to fix this vulnerability making this a zero-day vulnerability.

Overnight, our researchers have found that attackers have shifted into overdrive to include this new vulnerability into exploit kits to weaponize it. The most serious risk is that this attack will be used to compromise third-party advertising servers, consistent with a trend we’ve seen in the first quarter of 2015.

Trend Micro customers have been protected against this threat three ways:

  • Trend Micro™ Deep Discovery: The existing Sandbox with Script Analyzer engine can be used to detect this threat by its behavior without any engine or pattern updates.
  • Trend Micro™ Security, Trend Micro™ Smart Protection Suites, and Worry-Free Business Security: The Browser Exploit Prevention feature blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.
  • Trend Micro™ Deep Security and Trend Micro OfficeScan: Vulnerability Protection now provides protections against his vulnerability with the following rule: 1006824  – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability

As of July 8, Adobe has made an update available to address this vulnerability, so anyone using Flash should apply it right away.

Our researchers have also found evidence indicating that this vulnerability was being used in limited attacks against people in Korea and Japan on July 1, before the Hacking Team attack information was made public on July 4. There’s some possible indication that attacks using this vulnerability even started as early as June 22, though we can’t confirm this. While we can’t conclusively prove it, there are signs to indicate the possibility that these early, limited attacks trace back to the data theft from the Hacking Team (the attacks have a similar structure to code leaked from the Hacking Team).

Whether these early attacks trace to the Hacking Team or not, one message is clear—this situation underscores the risk from “hoarding” vulnerabilities rather than reporting them to the vendor or software development project so they can be addressed.

Our researchers are continuing to follow this situation and we will provide updates when we have more information.

Leave a Reply

Your email address will not be published. Required fields are marked *