-
8 July 2015
- From the section Technology
Adobe is working to fix a security hole in its Flash software that was made public only after data was stolen from an online surveillance company.
Italian firm Hacking Team sells spying software to intelligence agencies around the world.
On Sunday, private data stolen from the company was posted online, indicating it knew about a serious flaw in Flash, but had not told Adobe.
One security blog said the bug had been “immediately weaponised” by attackers.
“This is one of the fastest documented cases of an immediate weaponisation in the wild, possibly thanks to the detailed instructions left by the Hacking Team,” wrote Jerome Segura from Malwarebytes.
‘Beautiful bug’
Details of the exploit were among 400GB of stolen data that was posted online.
In the data, Hacking Team described the flaw as “the most beautiful Flash bug for the last four years”.
Security software company Trend Micro said the exploit had already been included in at least three exploit kits – collections of computer code and tools that can help attackers spread malicious software.
“When you know the severity of a flaw, there’s a duty to disclose it to the software vendor,” said Bharat Mistry, cybersecurity expert at Trend Micro.
“Maybe they saw this as an avenue they could use for their own purposes and wanted to keep it under wraps.
“But Flash has a big presence on the web. There is mass potential for this bug to be exploited by criminals.”
Adobe acknowledged the bug could “cause a crash and potentially allow an attacker to take control of the affected system”.
It said the flaw affected Flash 18.0.0.194 and earlier versions for Windows, Macintosh and Linux, adding that a fix would be issued on Wednesday.