Updated Confidential source code stolen from Hacking Team, and subsequently leaked online, has revealed new and extremely serious software vulnerabilities that are exploited by the spyware maker to infect victims' computers.
The security holes are used to inject malicious code into PCs; that code installs surveillance tools to monitor the user's every move and remote control their machines over the internet.
Hacking Team, which is based in Italy, counts the governments of Saudi Arabia, Oman, Sudan, Egypt, Lebanon, Russia, the US, and others, plus various private organizations, as its customers, past and present, it appears.
From what we've seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 22.214.171.124.
A proof-of-concept exploit uses the flaw to open calc.exe on Windows, proving a malicious Flash file downloaded from the internet can execute arbitrary code on a victim's computer. Hacking Team describes it as "the most beautiful Flash bug for the last four years" in its internal documentation.
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week. The vulnerability is present in its plugin software for Windows, OS X and Linux:
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8.
According to Trend Micro, the Flash vulnerability is a classic use-after-free() programming cockup that allows the attacker to read and write arbitrary bytes in memory. This allows the malicious Flash file to build a chain of instructions that tells the Windows kernel to mark a chunk of injected code as executable – which is then called and can do whatever it likes.
A technical breakdown of the vulnerability can be found here, written by a Chinese infosec researcher.
The bad news is that with the source code leaked, details of the Flash bug are now in the wild for crims to exploit against netizens.
"Without a doubt cyber criminals have already got their hands on it and will integrate it in their exploit kits soon," warns Jérôme Segura of MalwareBytes.
Hacking Team uses another Flash vulnerability, CVE-2015-0349, but Adobe has patched that: this is why it's always a good idea to update your software as soon as you can so you're not caught out by old-day exploits.
Meanwhile, another zero-day has been found in the Hacking Team source code: this one is a vulnerability in atmfd.dll, the Adobe font driver in the kernel level of the Windows operating system. This library is bundled with Windows so that it can render fonts on screen. The vulnerability is not the same as the MS15-021 flaw that Microsoft patched in March.
This vulnerability can be used to elevate an attacker's privileges to administrator level, allowing more damage or surveillance to be carried out. It can be chained with the aforementioned Flash zero-day to first execute code as a user and then gain more powers to fully hijack the system.
We're told the vulnerability is exploited by loading a malicious OTF font file, and then calling a poorly coded software interface in atmfd.dll to read and write to kernel memory. This allows high-level security tokens to be copied to the running process, elevating its privileges – this also sidesteps protection mechanisms (such as SMEP) that try to prevent malicious code execution. Google Chrome's sandbox feature defeats this attack, we're told.
Again, with this exploit in the wild now, crooks can wield it against normal netizens to seize control of their PCs. Microsoft was not available for immediate comment.
Analysis of the Hacking Team leak is still ongoing: so far, apart from these two zero-day holes, the rest of the company's leaked exploit cache appears to be arguably unimpressive. Keeping your software up to date and installed from official sources, and devices physically away from attackers, should be enough to protect against an infection of Hacking Team's spyware. ®
Updated to add
Microsoft has been in touch to say it is working on a fix for the kernel-level Windows vulnerability.
"We believe the overall risk for customers is limited, as this vulnerability could not, on its own, allow an adversary to take control of a machine," a Redmond spokesman told us. "We encourage customers to apply the Adobe update and are working on a fix."