Flash zero-day leaks out from “Hacking Team” hack, patch expected Real Soon Now

Thanks to threat-busters Andrew O’Donnell and Fraser Howard of SophosLabs for their timely input to this article.

Wouldn’t you just know it!

Last night we wrote about how Flash troubles come in threes, like those proverbial buses:

Stop the presses!

Make that four buses that just arrived at once.

Earlier this week, a Italian company with the unequivocal name of Hacking Team…

…got hacked, to put not too fine a point on it.

Hacking Team is, indeed, into hacking – controversially, as it happens, because its main line of business is selling hacking and interception capabilities at a country level.

You might therefore expect a company of that sort to have had some vulnerabilities and exploits up its sleeve.

Apparently, that turns out to have been correct, though we say “to have had” because they’re no longer “up its sleeve.”

Thanks to a giant data dump published by the hackers who hacked the hackers, the zero-day cat is out of the bag.

Adobe emergency bulletin

As a result, Adobe just issued APSA15-03, for a Flash bug now named CVE-2015-5119:

A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015.

Adobe’s bulletin is dated 2015-07-07, which is yesterday (throughout the world) at the time of writing [20150708T12:45Z], and the update is promised for today.

We’ll presume that means that the patch will drop during business hours, US West Coast time (Pacific Daylight Time, UTC-7).

That will be a great result by Adobe, if it can hit that target, not least because the vulnerability affects all platforms supported by Flash: Windows, OS X and Linux.

Given the zest with which the world has fallen on the loot plundered from the Hacking Crew breach, SophosLabs has raised its Threat Level to High.

What to do?

We’re backing up our colleagues in SophosLabs by saying, “Watch out for the update and grab it as soon as you can.”

If you’re looking for something you can do right now before the patch comes out, here’s a list of tips you can try.

They’re great tips anyway, so we recommend them even when there isn’t an update emergency going on:

  • Get rid of Flash altogether. Apple iPad and iPhone users haven’t had Flash for ages, and they don’t seem to be in any kind of internet backwater. It’s like a big, heavy backpack: if you don’t actually need any of that stuff, why carry it?
  • Turn off Flash in your browser. If you can’t ditch Flash, but you need it only very occasionally, enable it when you actually need it, so your browser doesn’t advertise that you have Flash until you tell it to. Warning: you will need to remember to keep turning Flash back off, so this approach requires a bit more care than the others.
  • Use click-to-play. Most browsers allow you to set Flash to “always ask.” Your browser will advertise that you have Flash, but it won’t do anything until you click on a Flash component to allow it to run. This is a safe but handy way of seeing which websites still use Flash.
  • Use an anti-virus that blocks suspicious files and web pages in real time. That will help to keep you away from sites known to foist Flash malware on you, as well as blocking malicious Flash content from as-yet-unknown bad web pages.
  • Update early, update often. Even if you let Adobe do your Flash updates automatically, keep abreast of security bulletins and published patches.

By the way, occcasional manual verification that your auto-updates are working is a good idea for all updates to all products.

Manual oversight will prevent you getting caught out by the “forget” part of “set and forget,” a security approach that we can understand but not recommend.

NB. Sophos detects Flash attacks in general as Troj/SWFExp-*, short for Shockwave Flash exploit. Specific detection for files known to be associated with the Hacking Team leak include SWFExp-HT, SWFExp-HU and SWFExp-HW, if you want to keep an eye on your logs.