In a rare confluence of scheduling and circumstances, Adobe, Microsoft and Oracle issued patches on July 14 for vulnerabilities first publicly revealed July 5 in the breached documents of security firm Hacking Team.
Adobe’s Patch Tuesday update includes fixes for the CVE-2015-5122 and CVE-2015-5123 zero-day vulnerabilities that FireEye and Trend Micro found in the Hacking Team materials.
“Flash Player is one of the most ubiquitous and widely distributed pieces of software in the world, and as such, is a target of malicious hackers,” Adobe wrote in a blog post. “We are actively working to improve Flash Player security, and as we did in this case, will work to quickly address issues when they are discovered.”
Adobe is also updating Adobe Reader and Acrobat for 46 identified CVEs, 27 of which were reported to Adobe by researchers working with Hewlett-Packard’s Zero Day Initiative.
The new Adobe updates are in addition to the 36 CVEs the company patched on July 8. They included one additional zero-day derived from the Hacking Team breach.
Oracle
Oracle’s July Critical Patch Update (CPU) eclipses Adobe’s CVE count, with a staggering 193 unique CVEs identified and fixed. Among them is CVE-2015-2590, which is a zero-day flaw in Java identified by Trend Micro from the Hacking Team breach. The CVE-2105-2590 zero-day in Java is one of 25 patches Oracle is making this month for Java.
Trend Micro first discovered CVE-2015-2590 being actively exploited as part of a hacker campaign it has identified as Operation Pawn Storm.
“We found email messages targeting a certain armed forces of a NATO country and a U.S. defense organization contained these malicious URLs where the Java exploit is hosted,” Trend Micro stated in a blog post. “This exploit sets off a chain of malware infections that lead to its final payload: an information-stealing malware.”
In addition to the Java patches, Oracle’s patch haul includes 10 fixes for the Oracle Database, 25 patches in Oracle Berkeley DB and 39 patches for Oracle Fusion Middleware.
Microsoft
Microsoft is also tackling a vulnerability first revealed in the Hacking Team breach with CVE-2015-2425, a flaw in the Internet Explorer 11 Web browser.
“On July 6, information spread that the Italian company known as the Hacking Team were themselves the victims of a cyber-attack,” Vectra Threat Labs wrote in a blog post. “In the aftermath of this leak, Vectra researchers have analyzed the leaked data, and identified a previously unknown vulnerability in Internet Explorer 11 that impacts a fully patched IE 11 on both Windows 7 and Windows 8.1.”
Microsoft credits security researchers Bill Finlayson of Vectra Networks, Dhanesh Kizhakkinan of FireEye and Peter Pi of TrendMicro for reporting the CVE-2015-2425 flaw. The CVE-2015-2425 flaw is one of 29 CVEs that Microsoft is patching in IE with its MS15-065 security bulletin.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
