Hacking Team Breach Reveals ‘Beautiful’ New Flash Flaw

New Flash and Windows vulnerabilities have been uncovered as a result of the hacking of Milan-based surveillance tools developer Hacking Team.

The firm acknowledged last week that it had been hacked, during which 400GB of confidential internal documents, along with staff and customer passwords, had been compromised and published online.

And now Trend Micro has found the information dump contains at least three new exploits the Hacking Team was aware of, but had not reported.

New vulnerabilities

Trend said Hacking Team described one of the Flash exploits as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given an CVE number.

“While Hacking Team stated that this was the most beautiful bug since CVE-2010-2161, we can see that several bugs have used this ValueOf trick, including CVE-2015-0349 which was used at Pwn2Own 2015,” said Trend.“Users do not need to be overly concerned about this vulnerability at this time, as an active attack has not yet been spotted in the wild.”

One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched, and Adobe said it was working on a patch for the other Flash vulnerability.

Controversial Company

The Hacking Team is a controversial company and has been criticised in the past for making tools that help governments to spy on their citizens as it supplies tools for both the desktop and mobile platforms.

It has also been listed on the “Enemies of the Internet” report compiled by Reporters Without Borders, which highlighted it as one of five companies that “sell products that are liable to be used by governments to violate human rights and freedom of information”.

Hacking Team’s Remote Control System (RCS) spyware for example was used against the Moroccan media, a United Arab Emirates human rights activist, and Ethiopian journalists in the Washington, DC area.

Are you a security pro? Try our quiz!