Microsoft and Adobe patch bugs from Hacking Team data
Security vulnerabilities in the Hacking Team data leaked last week have been squashed by Microsoft and Adobe. The bugs were in Internet Explorer 11 and Flash; at least those in Flash were actively abused.
A security researcher tried to sell the bug in Internet Explorer to security company Hacking Team, whose internal data leaked last week. This was a bug in Internet Explorer 11 on Windows 7 and 8.1, which had not yet been patched. As a result, fully updated versions of Internet Explorer were vulnerable.
Although Hacking Team ultimately never bought the vulnerability, the email conversation for security company Vectra contained enough information to verify that the bug exists. “Hacking Team didn’t buy the vulnerability, but there’s a chance the researcher could have sold his bug elsewhere, which could have caused the vulnerability to be exploited,” Vectra warns.
However, Microsoft has since patched the vulnerability so that updated Windows installations with Internet Explorer should no longer be vulnerable. It was a so-called use after free bug, in which part of the memory is accessed after it has just been emptied. As a result, the software crashes and proprietary code can be injected.
The bug in Flash was already being actively exploited, as it turned out last weekend. This forced Firefox to block the latest version of Flash. Those bugs have now also been resolved, Threatpost writes. So, once users have installed the new Flash update, the plugin should work in Firefox as well. In total, three new security vulnerabilities became known thanks to the released data from Hacking Team.