Google helps Adobe patch Flash

By now, everyone knows just in how much trouble Adobe is with its Flash Player, including Google who decided to lend a helping hand to the stressed company.

A team of Google’s security experts has helped Adobe place some anti-hacker defences to the player, and has now described these measures in greater detail.

Many, many Flash exploits work by using bugs in Adobe's software to increase the length value of an array without reallocating it, effectively extending it to occupy a nearby object's memory, The Register writes in a report.

By reading and writing unsigned integer elements in the additional space, the attacker can access and alter memory in objects he or she is not allowed to normally touch.

These arrays sit in heap memory close to each other, so it becomes easy to manipulate the contents of other heap objects. Exploiting this to gain code execution is left as an exercise to the hacker.

So Google and Adobe have come up with three defences:

  • Vector. buffer heap partitioning: Arrays are separated from other heap objects, so attempts to overflow a buffer and alter a nearby vector's length is much more difficult – their addresses are now too far apart. Going the distance will trigger a page fault or blow away too much of the environment to continue running without crashing. And a crash is better than exploitation.
  • Stronger randomization for the Flash heap: Attackers need to know the memory layout of Flash at the moment of exploitation. It's like building one of those marble run machines where everything has to be placed more or less precisely for the right values to slot into position. Randomizing heap allocations wrecks the chances of reliable exploitation.
  • Vector. length validation: Adobe has added an extra value to an array's metadata called a secret, which is calculated using the length. If an attacker changes an array's length, the array's secret must be recalculated, but if the attacker cannot generate the correct secret for the desired length, Flash can detect this and crash before a vulnerability is exploited. So this helps stop miscreants overwriting a vector's length, which may kill most attacks dead.