The Italy-based, malware-making digital security company Hacking Team recently had to wipe a lot of egg from its face when its website was vandalized; its Twitter account hijacked; and hundreds of gigabytes of source code, emails, and internal documents made public following a hack of its servers. Part of what came out of the data dump was that it had been providing malware to many different governments around the world, some of which are criticized for their oppressive regimes and human rights abuses.
One of the pieces of nefarious software which Hacking Team created used an exploit in the open font type manager module — ATMFD.dll — provided by Adobe. As Trend Micro explains in its blog post, the reason this could be exploited is because, while the module is processing font data, there’s a buffer underflow, because of a signed number extending.
Since the font’s buffer can be prepared by an attacker, this allows it to send commands and content to the front of the input buffer, which ultimately gives them a foot in the door of the system they’re going after.
This is just one of many different exploits which Hacking Team took advantage of in the creation of its various tools and tricks, which it sold to governments such as Sudan, United Arab Emirates, and Singapore. Another popular one used a vulnerability in Adobe’s Flash Player version 9 or later and works on almost every browser, including Internet Explorer, Chrome, Firefox and Safari.
The bug has apparently been there for years and hasn’t been patched, since it’s still present in the latest version of Flash. However, we can rest easy to some extent, as this sort of attack hasn’t been tracked in the wild apart from one specific instance in the recent past.
Trend Micro was also keen to point out in its breakdown of these threats that its software should provide protection against them … though you would expect it to say that.