Whilst Project Zero has gained a reputation for vulnerability and exploitation research, that's not all that we do. One of the main re...
Whilst Project Zero has gained a reputation for vulnerability and exploitation research, that's not all that we do. One of the main reasons we perform this research is to provide data to defenders; and one of the things that defenders can do with this data is to devise exploit mitigations.
Sometimes, we'll take on exploit mitigations ourselves. Recently, we've been working with Adobe on Flash mitigations, and this post describes some significant mitigations have landed over the past couple of Flash versions.
Now is a good time to check your current Flash version because you really want the latest one. For example, if you're running Google Chrome, you can visit about:version to check the versions of various components. If you have Flash v18.0.0.209 (or newer), then you have the new goodies. If not, you can (on Windows) visit chrome://chrome to give the autoupdater a kick. (If you’re running an older version of Chrome, you will in fact receive a more active warning and block when encountering Flash content.)
Before we dive into the technicalities of some of the mitigations landed, it's worth reminding ourselves how the vast majority of recent Flash 0-day, 1-day and research exploits have worked:
In the above diagram, we see a heap overflow vulnerability being exploited. The attacker has performed "heap grooming", which attempts to place an object of interest after the object from which the heap overflow originates. The chosen object of interest is a Vector.<uint> buffer, which starts with a length. The desired corruption is to corrupt and increase this length. This technique was used in recent 0-days, as well as various 1-days.
And in this diagram, we see a use-after-free vulnerability being exploited. The attacker has caused a heap chunk to be freed whilst it is still referenced. The attacker then allocates a Vector.<uint> into this freed heap chunk and the subsequent use-after-free writes over the Vector.<uint> length with a larger value. This technique was used in at least two of the recent Hacking Team 0-days.
The commonality between both cases is an abuse of a corruption of a Vector.<uint> buffer object's length, which has been the go-to method for Flash exploitation for a while. Aside from 0-days and 1-days, Project Zero's own research has used this technique. For example, when working on the new exploit primitive "parallel thread corruption", we used Vector.<uint>. And why wouldn't we? There's no point in doing something complicated when something simple exists to solve the problem. And it is exactly because the Vector.<uint> primitive is so simple and powerful that it needs to be addressed.
Google Project Zero
