Oracle and Microsoft shuffle out anti-Hacking Team patches while Adobe takes the heat
Adobe (finally) patches the security flaws exposed by the Hacking Team crack - while Oracle and Microsoft sneak out their Hacking Team patches
Oracle and Microsoft have quietly rushed out patches to fix security flaws exposed in the Hacking Team crack at the same time that Adobe has issued its patches to fix security flaws exposed in the same attack.
Oracle has released a patch for Java intended to fix 24 vulnerabilities, as well as a zero-day flaw that is known to have been actively exploited in the wild. The latest version is Java 8, Update 51. It also offers the choice of disabling Java content in web browsers, which some security specialists have recommended.
Indeed, one of the recommendations is to turn off Java (and, indeed, Adobe Flash) in the browser used everyday, and only using them in one particular browser for particular purposes.
Microsoft, in the meantime, shuffled in a dozen security fixes into its latest Patch Tuesday release. It included a major patch for the Internet Explorer web browser, intended to fix 28 bugs - including zero-day vulnerabilities exploited by Hacking Team. The flaws were so wide that Internet Explorer users could become infected merely by browsing a compromised web page.
At the same time, Adobe has rushed out fixes to the two critical flaws highlighted over the weekend, as promised. The flaws, code-named CVE-2015-5122 & CVE-2015-5123 by Adobe, were "use-after-free" and BitmapData use-after free" bugs respectively.
They that had been uncovered and exploited by Italian surveillance software vendor Hacking Team. It followed the discovery of earlier flaws the previous week after coders had started examining the source code leaked following the devastating hack.
The latest Adobe Flash patches come a day after Mozilla started disabling Flash by default in the Firefox web browser.
However, Hacking Team CEO David Vincenzetti has suggested that the source code for the next version of the company's Remote CS was not stolen in the raid, and promised version 10 will come out this autumn.
Customers, meanwhile, have been told to stop using their software - presumably because updates to anti-virus and security software will expose their use of Hacking Team's malware.