Spyware company Hacking Team was compromised earlier this week, leading to 400GB of internal and files, source code, and emails being made available on torrent sites for anyone to download.
While there’s some embarrassing communications contained within the leak, some serious software security flaws have also been discovered.
Some source code contained within the leak includes software vulnerabilities that are being exploited by Hacking Team to break into PCs. Two unpatched vulnerabilities have been discovered, affecting Adobe’s Flash software and Microsoft’s Windows operating system. Hacking Team describes the Flash flaw as "the most beautiful Flash bug for the last four years," suggesting that the company may have been using this to access people’s machines for quite some time. The vulnerability itself allows malicious attackers to execute code on a victim’s machine through a website. It affects Windows, OS X, and Linux, and can be used against browsers like IE, Firefox, Chrome, and Safari.
Hacking Team appears to have used this hole to install its own exploit kits and monitor or remotely control PCs. Adobe is now aware of the vulnerability and is planning to issue a patch later today, but given the vast amount of security issues with Flash over the years it's advisable to move away from using the software if you're able to.
The second vulnerability affects an Adobe font driver in Windows. All 32-bit and 64-bit versions of Windows are affected from Windows XP through to Windows 8.1, according to researchers. The flaw itself lets attackers elevate their privileges on a machine to administrator level. Combined with the Adobe Flash exploit, it’s a powerful way to hijack a PC.
"We believe the overall risk for customers is limited, as this vulnerability could not, on its own, allow an adversary to take control of a machine," says a Microsoft spokesperson. "We encourage customers to apply the Adobe update and are working on a fix."
