Second Critical Flash Player Vulnerability Found in Leaked Hacking Team Data

Security analysts and online criminals are locked in a furious arms race following the release of an enormous cache of data belonging to Hacking Team, the controversial Italian surveillance software vendor. It had come to light last week that Hacking Team had unearthed a vulnerability in Adobe's popular Flash browser plugin and had potentially been exploiting it to attack computers for an unknown length of time. Once made public, attackers raced to exploit it themselves, and Adobe was forced to respond with a patch within days.

A second, equally dangerous vulnerability has now come to light from the Hacking Team data. Security firm FireEye reported the discovery to Adobe, which has confirmed that it affects even the latest versions of Flash. Adobe has classified it as critical but has only committed to releasing an update "during the week of July 12, 2015".

Users are advised to disable Flash Player altogether until Adobe releases an update, and to install updates only from trusted sources such as Adobe's own website. Bogus emails and Web advertisements designed to scare users into downloading a fake patch or fix are also likely to pop up.

In Google Chrome, type 'chrome://plugins' into the address bar and hit Enter. Find the entry for Flash and click disable. Firefox users need to click 'Add-ons' in the browser menu and disable Shockwave Flash on the Plugins tab. Internet Explorer users should click 'Tools > Manage Add-ons' and disable Shockwave Flash Object in the All Add-ons list. The steps need to be taken for each Web browser a user has installed.

Such security holes allow attackers to remotely execute code on computers, potentially infecting them with malware and stealing private data. It is possible that Hacking Team used them to plant its own clandestine surveillance software on target machines without the knowledge or consent of their users.

It is certain that criminals will begin exploiting the newly discovered flaw. As PC World reports, it did not take more than 24 hours for the previously discovered vulnerability to show up in commercial exploit kits, which are sold in black markets and used by those who want to distribute malware but lack the skill or resources to develop their own backdoors.

Hacking Team has advised its clients to stop using its software now that its own source code has been released. It also now says the attack was likely carried out with government backing, due to its scope and the resources that were needed to pull it off.