Google helps Adobe improve Flash security

Adobe has been dealt a heavy blow after the Hacking Team data dump produced three Flash Player zero-day exploits and they begun being exploited in the wild.

While Adobe was working on a fix, Mozilla made Firefox block vulnerable versions of Adobe Flash by default, and security experts called for Adobe to finally sunset Flash and ask browser developers to do the same.

Wiebke Lips, a senior manager of Adobe’s corporate communications, responded by saying that the company is working heavily on securing Flash.

“Aside from generally hardening the code, and finding and addressing vulnerabilities internally, a key focus area has been the development of mitigation techniques that prevent entire classes of vulnerabilities from being exploited. The introduction of some of these mitigation techniques has been on the roadmap but is moving forward more quickly as a result of recent developments,” he noted.

A few days later, some of these efforts were revealed: experts from Google’s Project Zero have been working with Adobe on Flash mitigations.

They have made some changes in how Flash interacts with an OS: they introduced heap partitioning, improved the randomization for the Flash heap, and implemented object length validation to prevent memory corruption (more technical details are available here). The changes have already been implemented in the latest version of Flash Player and that of Google Chrome.

Still, some users might have found their patience run out when it comes to Flash.

To them, Fortinet researcher Bing Liu offered the following advice: don’t think your computer is immune to Flash exploits if you simply disable the Flash plugin in your web browser.

“Flash files can not only be embedded in a web page but also in various document formats such as Microsoft Office documents and PDF files. Even if you have disabled Flash in your browsers, Flash exploits can still leverage Flash Player vulnerabilities through software like Microsoft Office and Adobe Reader,” he warned.

Microsoft’s Enhanced Mitigation Experience Tool (EMET) can block some of these exploits but, in the end, this is just one example of how Flash can be exploited outside of a web browser.

“Flash is a technology that can be embedded in many places and requires vigilance on the part of users as well as smart edge and endpoint protection and rigorously patched software to ensure that Flash exploits don’t end up on your network,” he concluded.