Hackers republish vulnerability in Flash

Another vulnerability in Flash discovered by the Hacking Team has been revealed. It is the second leak to be published on the Internet in a short period of time. This is a zero-day vulnerability, which means that users are likely to be at risk.

An Indian hacker reported the find on Twitter and posted the vulnerability on Pastebin. Those interested in the details should download a zip file. It is not known whether and to what extent the bug in question is abused by attackers in practice. What is clear is that Flash users on Windows, Linux and OS X are at risk, although Windows users with Firefox and Chrome would be immune. Also the latest build of Windows 10 with the Edge browser would not be at risk.

Adobe has announced on its website that it is aware of the vulnerability in its software. A patch for Flash is expected to be released next week. The software maker himself describes the published vulnerability as a ‘critical vulnerability’.

This is the second published zero-day vulnerability in Flash that has been published in a short time. The first came out earlier this week, but was then quickly patched by Adobe. This bug is said to be found in three exploit kits, called Angler, Neutrino and Nuclear. Customers of these kits can easily inject malware into other people’s PCs. It is therefore plausible that this vulnerability was actively exploited.

Both the first and second bugs come from the Hacking Team inventory. This organization searches for exploits in software and then builds hack kits around it. They then sell these to others, such as governments. The company has therefore been under fire for some time, partly because it does business with dubious regimes. The exploits found by the Hacking Team have come out because the organization itself was hacked, whereby 400GB of files were stolen.