Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Adobe Secures Flash, With Help From Google

    By
    Sean Michael Kerner
    -
    July 19, 2015
    Share
    Facebook
    Twitter
    Linkedin
      Flash flaws

      Adobe is under tremendous pressure to do more to secure its Flash Player technology, which has been aggressively exploited in 2015. However, Adobe isn’t alone in its efforts to secure Flash, as a very key ally is contributing significantly to Flash’s defense—none other than Google.

      Flash’s weaknesses are numerous, but common ones are use-after-free (UAF) memory vulnerabilities. In the last month, Adobe has patched Flash for 38 different Common Vulnerabilities and Exposures (CVEs), three of which were identified as zero-day exploits that were found in the breached materials of Italian security vendor Hacking Team.

      However, the largest single source of Flash exploit discovery so far in July was not a zero-day exploit, but rather it was from Google’s Project Zero security initiative. Adobe credited Google with the discovery of 20 CVEs in its APSB15-16 security bulletin. But as it turns out, Google didn’t just report vulnerabilities in Flash; the company went a step further and is helping Adobe remediate the flaws and prevent them in the first place.

      As of the Flash v18.0.0.209 update, which was released on July 14, Flash now includes new attack mitigations, courtesy of Google’s Project Zero security initiative.

      Google security engineers Mark Brand and Chris Evans detail the full mitigation in a technical post, but what it really boils down to is protection for a common class of UAF exploits that take advantage of weaknesses in memory. To that end, there are now multiple mitigations integrated in the latest Flash release to reduce the attack surface. One of those mitigations is a technique known as heap partitioning.

      “Heap partitioning is a technique that isolates different types of objects on the heap from one another,” the Google engineers explain. “Chrome uses heap partitioning extensively, and it has become a common defensive technique in multiple browsers. We have now introduced this technology into Flash.”

      Another new mitigation that Google is helping Adobe with is improved randomization of the Flash memory heap. The idea of memory randomization is not a new one. On Windows operating systems, address space layout randomization (ASLR) is a well-established technology. Google, however, is specifically improving Flash’s memory in a stronger, more randomized way than what the operating system enables on its own.

      The Google security engineers admit that it’s a “cat and mouse” game with attackers, with each new mitigation likely to produce a new counter-mitigation from hackers.

      “We’ll be looking out for attackers’ attempts to adapt, and devising further mitigations based on what we see,” the Google engineers wrote. “Perhaps more importantly, we’re also devising a next level of defenses based on what we expect we might see.”

      Google’s efforts in helping to secure Flash make a whole lot of sense given that the Chrome browser directly integrates Flash. As a result, a Flash vulnerability makes all Chrome users vulnerable, and that’s not a good situation for Google.

      However, despite the tough month that Adobe has had with Flash security, things are changing. Adobe and its partners are not standing still waiting for the next exploit; rather, they are putting in place proactive techniques to limit future risks.

      The challenges of UAF are not limited to Adobe Flash, and Google isn’t the only security vendor that has a few ideas on remediations either. In February, Microsoft awarded Hewlett-Packard researchers $125,000 in awards as part of the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. HP’s research was focused on Microsoft’s Internet Explorer browser and UAF vulnerabilities. At the time of the award, Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK that the UAF protection techniques HP provided to Microsoft are specific to the IE browser, though in the future they might be able to help others. HP plans on publishing a full white paper on its UAF mitigation at the end of the year, according to Gorenc.

      Although Adobe’s Flash has been strongly impacted in 2015, UAF is a common scourge of modern Web applications. Even as attackers exploit UAF weaknesses, there are improved defenses in the works to secure the Web—thanks to the work of Adobe, Google and HP.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×