Adobe has promised to do it all can to improve the security of its much maligned Flash tool, in response to criticisms from the new CIO of Facebook and Mozilla blocking the tool from its Firefox browser.
In a blog post by Adobe the company said it was working hard to fix issues that are coming to light since data was leaked from the server of Italian surveillance software firm Hacking Team.
It went on to say that it was because Flash is so widely used it is naturally a target for hackers, but that it is confident it can maintain an adequate level of security for the product.
“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers,” the blog said.
“We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered.”
The comments come after Mozilla took the notable step of blocking Flash from its browser in light of security concerns that have come to light in the last ten days, after major flaws in Flash were uncovered in data taken from Hacking Team.
Mark Schmidt, head of Firefox support at Mozilla, confirmed that all versions of Flash up to the most recent 18.0.0.203 release have been added to the official Mozilla blocklist.
This came after the incoming chief security officer at Facebook, Alex Stamos, called for Adobe to announce an ‘end-of-life date’ for Flash given the problems it is causing.
“Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once,” he added.
Adobe has issued two major updates for Flash since the flaws were revealed. The first patch fixed the CVE-2015-5119. It was soon forced to issue a second patch for two flaws that were uncovered, termed CVE-2015-5122 and CVE-2015-5123, as it explained in a post on its website.
“Critical vulnerabilities have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux,” it said.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”
Adobe rates the flaws as critical and firms have been urged to upgrade as soon as possible. The firm also thanked researchers at FireEye and Trend Micro for uncovering the vulnerabilities.
The revelations are just the latest information to come to light since the hack. Other data revealed that the FBI is a customer of Hacking Team, and is reported to have spent $775,000 on the firm’s software.
The revelations from the hack have not come as a huge surprise to those who have criticised Hacking Team in the past, and the firm has been labelled an “enemy of the internet” by Reporters Without Borders.
“Hacking Team describes its lawful interception products as ‘offensive technology’ and has been called into question over deliveries to Morocco and the United Arab Emirates,” the organisation said.
“The company’s ‘Remote Control System’, called DaVinci, is able, it says, to break encryption on emails, files and internet telephony protocols.”
The attackers behind the hack have not yet come to light, but they too were clearly keen to embarrass and discredit Hacking Team, not only releasing the data from its systems but defacing its Twitter account and posting company emails.
The firm’s bio on Twitter was changed to read: ‘Developing ineffective, easy-to-pwn offensive technology to compromise the operations of the worldwide law enforcement and intelligence communities.’
The leaked information allegedly includes contracts the company signed with repressive governments such as in Sudan, Uzbekistan and Russia. Hacking Team had denied ever working with Sudan after a report in 2014 accused it of doing so.
Fonte: http://www.v3.co.uk/v3-uk/news/2416392/government-surveillance-software-firm-hacking-team-hit-by-hack-and-data-leak
(4)