Adobe is under tremendous pressure to do more to secure its Flash Player technology, which has been aggressively exploited in 2015. However, Adobe isn’t alone in its efforts to secure Flash, as a very key ally is contributing significantly to Flash’s defense—none other than Google.
Flash’s weaknesses are numerous, but common ones are use-after-free (UAF) memory vulnerabilities. In the last month, Adobe has patched Flash for 38 different Common Vulnerabilities and Exposures (CVEs), three of which were identified as zero-day exploits that were found in the breached materials of Italian security vendor Hacking Team.
However, the largest single source of Flash exploit discovery so far in July was not a zero-day exploit, but rather it was from Google’s Project Zero security initiative. Adobe credited Google with the discovery of 20 CVEs in its APSB15-16 security bulletin. But as it turns out, Google didn’t just report vulnerabilities in Flash; the company went a step further and is helping Adobe remediate the flaws and prevent them in the first place.
As of the Flash v18.0.0.209 update, which was released on July 14, Flash now includes new attack mitigations, courtesy of Google’s Project Zero security initiative.
Google security engineers Mark Brand and Chris Evans detail the full mitigation in a technical post, but what it really boils down to is protection for a common class of UAF exploits that take advantage of weaknesses in memory. To that end, there are now multiple mitigations integrated in the latest Flash release to reduce the attack surface. One of those mitigations is a technique known as heap partitioning.
“Heap partitioning is a technique that isolates different types of objects on the heap from one another,” the Google engineers explain. “Chrome uses heap partitioning extensively, and it has become a common defensive technique in multiple browsers. We have now introduced this technology into Flash.”
Another new mitigation that Google is helping Adobe with is improved randomization of the Flash memory heap. The idea of memory randomization is not a new one. On Windows operating systems, address space layout randomization (ASLR) is a well-established technology. Google, however, is specifically improving Flash’s memory in a stronger, more randomized way than what the operating system enables on its own.
The Google security engineers admit that it’s a “cat and mouse” game with attackers, with each new mitigation likely to produce a new counter-mitigation from hackers.
“We’ll be looking out for attackers’ attempts to adapt, and devising further mitigations based on what we see,” the Google engineers wrote. “Perhaps more importantly, we’re also devising a next level of defenses based on what we expect we might see.”
Google’s efforts in helping to secure Flash make a whole lot of sense given that the Chrome browser directly integrates Flash. As a result, a Flash vulnerability makes all Chrome users vulnerable, and that’s not a good situation for Google.
However, despite the tough month that Adobe has had with Flash security, things are changing. Adobe and its partners are not standing still waiting for the next exploit; rather, they are putting in place proactive techniques to limit future risks.
The challenges of UAF are not limited to Adobe Flash, and Google isn’t the only security vendor that has a few ideas on remediations either. In February, Microsoft awarded Hewlett-Packard researchers $125,000 in awards as part of the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense Program. HP’s research was focused on Microsoft’s Internet Explorer browser and UAF vulnerabilities. At the time of the award, Brian Gorenc, manager of vulnerability research for HP Security Research, told eWEEK that the UAF protection techniques HP provided to Microsoft are specific to the IE browser, though in the future they might be able to help others. HP plans on publishing a full white paper on its UAF mitigation at the end of the year, according to Gorenc.
Although Adobe’s Flash has been strongly impacted in 2015, UAF is a common scourge of modern Web applications. Even as attackers exploit UAF weaknesses, there are improved defenses in the works to secure the Web—thanks to the work of Adobe, Google and HP.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.