Krebs on Security - Adobe to patch zero-day flaw used by governments to spy on people. They're only patching it because it's been posted about. And the point is, they knew the flaws were there, and probably put it there at the request of a government, probably the US:
Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.
In an advisory published today, Adobe said “a critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 188.8.131.52 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.”
Wow, eh? How useful! The vulnerability works against Windows, Mac, and Linux! So no matter what OS you run, you're vulnerable. That's either an amazing coincidence, or it's a great feat in software engineering.
Get this: the problem's not flash. The problem is that every operating system was vulnerable to this flash exploit.
Several reports on Twitter suggested the exploit could be used to bypass Google Chrome‘s protective “sandbox” technology, a security feature that forces the program to run in a heightened security mode designed to block attacks that target vulnerabilities in Flash. A spokesperson for Google confirmed that attackers could evade the Chrome sandbox by using the Flash exploit in tandem with another Windows vulnerability that appears to be unpatched at the moment. Google also says its already in the process of pushing the Flash fix out to Chrome users.
AND Google! They can sploit Chrome by using yet another Windows vulnerability. Wow, those completely honest mistakes and heretofore unknown "vulnerabilities" are just multiplying and multiplying, eh? And they all fit together so perfectly, as if there was some sort of perfect Creator God who willed them all into being.
The Flash flaw was uncovered after Hacking Team’s proprietary information was posted online by hacktivists seeking to disprove the company’s claims that it does not work with repressive regimes (the leaked data suggests that Hacking Team has contracted to develop exploits for a variety of countries, including Egypt, Lebanon, Ethiopia, Sudan and Thailand). Included in the cache are several exploits for unpatched flaws, including apparently a Windows vulnerability.
According to new research from security firm Trend Micro, there is evidence that the Flash bug is being exploited in active attacks.
The hackers didn't develop an exploit that manages to exploit unknown vulnerabilities in 3 separate operating systems. That's silly. The Sudanese government didn't tell them "hey, we need a hack to break into people's systems to monitor their comms, and it needs to work against everything including Linux in case we come across a target running Xubuntu on a rooted Android phone."
The hackers just found something that was already put there.
They probably got the code from some Russian, whose dad works at the FSB, who got the code from Germany, who got the code from Israel, who got the code from some programmer at Apple or Google or Microsoft or Adobe who was part of a team that wrote their company's small portion of the exploit under the co-ordination of the NSA.
You won't think I'm paranoid when they come to get you!
Wake up sheeple!