Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Adobe Secures Flash, With Help From Google

    By
    Sean Michael Kerner
    -
    July 19, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Flash flaws

      Adobe is under tremendous pressure to do more to secure its Flash Player technology, which has been aggressively exploited in 2015. However, Adobe isn’t alone in its efforts to secure Flash, as a very key ally is contributing significantly to Flash’s defense—none other than Google.

      Flash’s weaknesses are numerous, but common ones are use-after-free (UAF) memory vulnerabilities. In the last month, Adobe has patched Flash for 38 different Common Vulnerabilities and Exposures (CVEs), three of which were identified as zero-day exploits that were found in the breached materials of Italian security vendor Hacking Team.

      However, the largest single source of Flash exploit discovery so far in July was not a zero-day exploit, but rather it was from Google’s Project Zero security initiative. Adobe credited Google with the discovery of 20 CVEs in its APSB15-16 security bulletin. But as it turns out, Google didn’t just report vulnerabilities in Flash; the company went a step further and is helping Adobe remediate the flaws and prevent them in the first place.

      As of the Flash v18.0.0.209 update, which was released on July 14, Flash now includes new attack mitigations, courtesy of Google’s Project Zero security initiative.

      Google security engineers Mark Brand and Chris Evans detail the full mitigation in a technical post, but what it really boils down to is protection for a common class of UAF exploits that take advantage of weaknesses in memory. To that end, there are now multiple mitigations integrated in the latest Flash release to reduce the attack surface. One of those mitigations is a technique known as heap partitioning.

      “Heap partitioning is a technique that isolates different types of objects on the heap from one another,” the Google engineers explain. “Chrome uses heap partitioning extensively, and it has become a common defensive technique in multiple browsers. We have now introduced this technology into Flash.”

      Another new mitigation that Google is helping Adobe with is improved randomization of the Flash memory heap. The idea of memory randomization is not a new one. On Windows operating systems, address space layout randomization (ASLR) is a well-established technology. Google, however, is specifically improving Flash’s memory in a stronger, more randomized way than what the operating system enables on its own.

      The Google security engineers admit that it’s a “cat and mouse” game with attackers, with each new mitigation likely to produce a new counter-mitigation from hackers.

      “We’ll be looking out for attackers’ attempts to adapt, and devising further mitigations based on what we see,” the Google engineers wrote. “Perhaps more importantly, we’re also devising a next level of defenses based on what we expect we might see.”

      Google’s efforts in helping to secure Flash make a whole lot of sense given that the Chrome browser directly integrates Flash. As a result, a Flash vulnerability makes all Chrome users vulnerable, and that’s not a good situation for Google.

      However, despite the tough month that Adobe has had with Flash security, things are changing. Adobe and its partners are not standing still waiting for the next exploit; rather, they are putting in place proactive techniques to limit future risks.

      The challenges of UAF are not limited to Adobe Flash, and Google isn’t the only security vendor that has a few ideas on remediations either. In February, Microsoft awarded Hewlett-Packard researchers $125,000 in awards as part of the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. HP’s research was focused on Microsoft’s Internet Explorer browser and UAF vulnerabilities. At the time of the award, Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK that the UAF protection techniques HP provided to Microsoft are specific to the IE browser, though in the future they might be able to help others. HP plans on publishing a full white paper on its UAF mitigation at the end of the year, according to Gorenc.

      Although Adobe’s Flash has been strongly impacted in 2015, UAF is a common scourge of modern Web applications. Even as attackers exploit UAF weaknesses, there are improved defenses in the works to secure the Web—thanks to the work of Adobe, Google and HP.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×