A critical Flash Player bug used by notorious surveillance software firm Hacking Team and made available in a data dump on Sunday will be patched on Wednesday after being spotted in active exploits, Adobe has confirmed.
The firm said in an advisory that the flaw (CVE-2015-5119) had been identified in Flash Player 18.0.0.194 and earlier for Windows, Mac and Linux and could cause a crash and allow an attacker to take over an affected system.
“Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8, 2015,” the firm continued.
According to data posted to the web on Sunday after a suspected breach of its internal systems, Hacking Team described the vulnerability as “the most beautiful Flash bug for the last four years.”
Security experts were quick to denounce the original Hacking Team attackers for revealing the flaw in their data dump.
“A separate attack against one of these vulnerabilities shows that not sharing the discovery of vulnerabilities with the vendor or broader security community leaves everyone at risk,” argued Trend Micro global threat communication manager, Christopher Budd.
“This latest attack is yet another demonstration that Adobe is a prime target for exploit across commercial and consumer IT systems.”
However, Tripwire director of security and product management, Tim Erlin, explained that the information disclosed in the attack had also provided insight into a “difficult-to-characterize economy around custom exploit development.”
“From the data revealed, it appears that government and law enforcement agencies around the world are willing to spend millions of dollars for the type of services that Hacking Team provides,” he argued.
“Hacking Team was essentially selling to both sides of cyber-conflicts around the world, and making significant sums of money in the process. This data will provide fuel to privacy organizations to ask difficult questions of government agencies around the world.”