Adobe and Google’s Project Zero recently worked together on outfitting the latest version of Flash with new exploit mitigations.This collaborative effort comes on the heels of the disclosure of three zero-day security vulnerabilities in Flash as part of this month’s Hacking Team leaks.According to a blog post written by Mark Brand and Chris Evans of Project Zero, the newest version of Flash, which was released earlier this week, seeks to address persistent weaknesses used by attackers to compromise the software. This includes the exploitation of a heap overflow vulnerability, as shown here:
Source: Project Zero“The attacker has performed ‘heap grooming’, which attempts to place an object of interest after the object from which the heap overflow originates,” Brand and Evans write. “The chosen object of interest is a Vector.<uint> buffer, which starts with a length. The desired corruption is to corrupt and increase this length. This technique was used in recent 0-days [of Adobe Flash], as well as various 1-days.”Attackers are were also able to exploit a use-after vulnerability in Flash, which allowed them to allocate a
Vector.<uint> into a freed heap chunk and then write over the
Vector.<uint> length with a larger value.Project Zero and Adobe have therefore introduced three exploit mitigations designed to address these and other vulnerabilities in Flash. These fixes are:
Vector.<uint> buffer heap partitioning: Arrays are now separated from other heap objects, which means that their addresses are now too far apart for most attackers to be able to overflow a buffer and alter a vector’s array length. Any attempt to do so will now either result in a page fault or will cause the software to crash.Stronger randomization for the Flash heap: By randomizing the memory allocation of the Flash heap, attackers who seek to compromise Flash now have fewer consistent and reliable methods of exploitation at their disposal.
Vector.<*> length validation: An extra value known as a “secret” has been added to each array’s metadata in Adobe Flash. This means that in the event that an attacker seeks to change an array’s length, they must also insert the proper secret. Failure to do so will cause the software to crash.Brand and Evans hope these mitigations will help protect Adobe Flash well into the future. However, acknowledging that attackers will move to produce counter-mitigations, they also realize that their work is “very far from finished.”