CybersecurityAdobe deals with yet another flaw

Published 9 July 2015

On the heels of the discovery of a zero-day defect, a vulnerability not known to the software developer, Adobe is scrambling to develop yet another patch for another vulnerability. The vulnerability, labeled CVE-2015-5119, causes a system to crash and allows a remote computer take control of the target machine. According to the United States Computer Emergency Readiness Team(US-CERT,) ActionScript 3 ByteArray class, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

On the heels of the discovery of a zero-day defect, a vulnerability not known to the software developer, Adobe is scrambling to develop yet another patch for another vulnerability.

Nearly a month ago, a zero-day flaw was discovered in Adobe’s Flash Player program, arguably the most widely used internet video player. Zero-day defects, a vulnerability that has not yet been patched, or fixed, are a hacker’s dream come true and a software publisher’s nightmare. They are used by hackers to access a system and install malicious code, or malware.

Soon after, Adobe released patch closing that vulnerability.

Recently, Hacking Team, a computer surveillance firm, was hacked by unknown hacker. Hacking Team, based in Italy, has developed and sells software which allows the buyer to hack into a system in order to spy on users. The firm has, for some time, held the attention of human rights advocates because of its business dealings with widely recognized oppressive regimes such as such as Egypt, Sudan, Saudi Arabia, and the United Arab Emirates.

The vulnerability, labeled CVE-2015-5119, causes a system to crash and allows a remote computer take control of the target machine. According to the United States Computer Emergency Readiness Team (US-CERT,) ActionScript 3 ByteArray class, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

ByteArray is a class of coding used by advanced developers who require the ability to work with application or service at the byte level. A byte is a sequence of eight bits, or digital signals, which constitutes the fundamental building block of a program.

Like its predecessor, CVE-2015-5119 also allows remote access to a computer. And like its predecessor, it exploits a vulnerability in Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux.

Unlike its predecessor, however, is the irony of a hacking company getting hacked.

Late last week, Hacking Team was hacked by an unknown person, who then pilfered 400 gigabytes of the company’s documents. Once the documents were obtained, they were released by hackers via the internet.

A portion of the documents were devoted to the zero day vulnerabilities which Hacking Team had found that were not yet known by Adobe.

Adobe has not yet released a patch for CVE-2015-5119, but expects do so by today (Wednesday, 9 July 2015).