Credit: Steve Ragan / Twitter
There have been additional developments in the Hacking Team story, the latest being that the Adobe Flash vulnerability discovered in the 400GB cache of documents has been picked up by the Neutrino and Angler exploit kits.
The Flash exploit was used by Hacking Team for demos, and the version of it leaked to the public only included a simple proof-of-concept that launched calc.exe. However, the exploit kit developers were quick to weaponize it thank to detailed instructions provided by Hacking Team documentation.
Attacks have been observed on both Chrome and Firefox.
"This is one of the fastest documented case of an immediate weaponization in the wild," commented Malwarebytes' Jérôme Segura.
Researchers at Trend Micro also detected the exploit circulating in the wild, but noted that the Hacking Team code leveraged a trick that was first observed during Pwn2Own earlier this year.
Alerted to the issue by privacy advocate and security expert Morgan Marquis-Boire and Google's Project Zero, Adobe listed the issue as critical and said they would release a patch for Flash later today. The vulnerability has been assigned to CVE-2015-5119.
All versions of Adobe Flash Player from 184.108.40.206 and earlier on Windows and OS X are vulnerable.
In addition, Adobe Flash Player Extended Support Release version 220.127.116.116 and earlier 13.x versions are also vulnerable. Adobe Flash Player version 18.104.22.1688 and earlier 11.x versions for Linux will need a patch too.
Sign up for Computerworld eNewsletters.