Tag

vulnerabilities

Browsing

Thanks to the recent string of zero-day vulnerabilities, Adobe has been busy at work modifying the architecture and strengthening the defenses of how Flash operates:

At the moment, the defenses are fully implemented only in the Flash version included in Google Chrome, having made their debut earlier this week. One of the two mitigations is available in other versions of Flash, and the remaining one is expected to be added to other browsers in August. Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities, which were leaked following the thorough hack of Hacking Team, the malware-as-a-service provider that catered to governments around the world. To block entire classes of new exploits, Adobe engineers, with the help of their counterparts at Google’s Project Zero team, have made two key changes, which were documented in a blog post published Thursday.

The first, which is currently available only in Chrome, is a new partition added to the heap, which is a large pool of computer memory. The partition isolates different types of memory contents, typically known as objects, from each other so one can’t be used to hijack or otherwise tamper with another. Heap partitioning has long been a mainstay in Chrome and other browsers. Now it’s a key defense in Flash.

Had heap partitioning been a part of Flash earlier, it would have significantly complicated some of the exploits that recently came to light in the Hacking Team breach. That’s because the exploits modified the “Vector.” object after a portion of heap where it had resided was freed. The tampering allowed the attackers to inject malicious code into computer memory and from there install their malicious software on the underlying computer. Similar Vector. tampering was also a part of separate, in-the-wild exploitsfrom earlier this year

FireFox has made the right move and now blocks Flash, the antiquated and software equivalent of swiss cheese by default:

The Mozilla Firefox web browser now blocks Flash by default. And when I say “blocks,” I don’t mean it asks you nicely if you’d really like to use Flash. I don’t mean it automatically pauses Flash videos like Google Chrome. I mean Mozilla has decided that Flash is going down.

Why such a hard-on for Flash? Why now? Well, it could be that the world just rediscovered just how prone Flash is to nasty, nasty vulnerabilities. When the Hacking Team—an Italian security company that sold intrusive spy tools—got hacked, one of those tools got out into the wild. A nasty hole in Flash that Adobe has yet to patch.

And in fact, Mozilla’s Mark Schmidt says that once the “publicly known vulnerabilities” are fixed, Firefox will stop actively blocking Flash.

So what about the bigger picture? Why ask to get rid of Flash once and for all?

This is only good for older versions of Flash with known vulnerabilities. The most recently issued version of Flash appears not to be blocked .. yet.