The Recent Cyber Attack that exposed 400GB of corporate data belonging to surveillance software firm Hacking Team has revealed that the spyware company have already discovered an exploit for an unpatched zero-day vulnerability in Flash Player.
Security researchers at Trend Micro claim that the leaked data stolen from Hacking Team, an Italian company that sells surveillance software to government agencies, contains a number of unpatched and unreported Adobe flaws.
While analyzing the leaked data dump, researchers discovered at least three software exploits – two for Adobe Flash Player and one for Microsoft's Windows kernel.
Out of two, one of the Flash Player vulnerabilities, known as Use-after-free vulnerability with CVE-2015-0349, has already been patched.
However, the Hacking Team described the other Flash Player exploit, which is a zero-day exploit with no CVE number yet, as "the most beautiful Flash bug for the last four years."
Symantec has also confirmed the existence of the zero-day flaw in Adobe Flash that could allow hackers to remotely execute code on a targeted computer, actually allowing them to take full control of it.
Researchers found a Flash zero-day proof-of-concept (POC) exploit code that, after testing, successfully worked on the most latest, fully patched version of Adobe Flash (version 22.214.171.124) with Internet Explorer.
Successful exploitation of the zero-day Flash vulnerability could cause a system crash, potentially allowing a hacker to take complete control of the affected computer.
The zero-day vulnerability affects all major web browsers, including Microsoft's Internet Explorer, Google's Chrome, Mozilla's Firefox as well as Apple's Safari.
Researchers have not spotted any attacks in the wild exploiting this zero-day flaw. However, since details of the vulnerability are now made publicly available, it is likely cybercriminals will quickly try to exploit the flaw before a patch is issued.
Therefore, users who are concerned about the issue can temporarily disable the Adobe Flash Player in their browser until the company patches the zero-day flaw.