We learned yesterday that the Hacking Team—an Italian security company with ties to oppressive governments and a reputation for selling intrusive spy tools—got hacked. Today, we’re learning some scary things about what this all means for you and me. In a word: malware.
Thanks to documents leaked after the hack, we now know Hacking Team sold exploits and digital weapons to human rights offenders in Sudan, but also to the FBI, DEA, and U.S. Army. But there’s more. Thanks to people leaking information from the evil Hacking Team, there are now an unknown number of weaponized exploits out in the wild.
One leaked tool targets a zero-day vulnerability in Flash, one that the Hacking Team recently called “the most beautiful Flash bug for the last four years.” The exploit can be delivered through your web browser if you navigate to a page with a corrupt Flash player, and Internet Explorer seems particularly problematic. Adobe has not yet released a fix.
After researchers discovered the exploit in the Hacking Team documents, Symantec successfully tested the malware. Its outlook sounds a little grim. “Given the source of the proof-of-concept code, it is possible that this vulnerability has already been exploited in the wild,” Symantec said today in a blog post. “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected computer.”
Hopefully, Adobe will fix the vulnerability before everyone using Flash becomes vulnerable. However, Ars Technica warns that you “should consider disabling Flash, particularly when browsing websites they are unfamiliar with,” for the time being.
It’s not just the Flash malware, either. The leaked documents also show that the Hacking Team may have found a zero-day vulnerability in all versions of Windows since Windows XP. They also have an exploit that may work with Android phones, turning jailbreaking techniques into rootkits that slurp all the data off your devices. OK, white hats, let’s start patching!
[Symantec via Ars Technica]
Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22