Found an Adobe Flash zero-day? Flog it for $100k while there's still time

Zerodium opens chequebook for Adobe Flash 'heap isolation bypass' exploits

Zerodium, the "premium exploit acquisition platform for high-end zero-days", to quote the company itself, is dangling cheques for up to $100,000 in return for Adobe Flash zero-day exploits.

It follows the announcement just before Christmas by Adobe, much maligned for the constant stream of security flaws in its Flash and Acrobat Reader client software, that it had rewritten the memory manager in Adobe Flash in order to provide better security.

"With the December release of Flash Player, we introduced several new security enhancements," claimed Adobe in a blog posting.

It continued: "Adobe has spent the year working with Google and Microsoft on proactive mitigations. Some of the mitigations were minor tweaks to the environment: such as Google's Project Zero helping us to add more heap randomization on Windows 7 or working with the Chrome team to tweak our use of the Pepper API for better sandboxing. There have also been a few larger scale collaborations.

"One example of a larger scale collaboration is our heap isolation work. This project initially started with a Project Zero code contribution to help isolate vectors. Based on the results of that release and discussions with the Microsoft research team, Adobe then expanded that code to cover ByteArrays. In last week's release, Adobe deployed a rewrite of our memory manager to create the foundation for widespread heap isolation which we will build on, going forward. This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities for exploitation."

Adobe has also become an early adopter of Microsoft's new Control Flow Guard protection, it added.

"Our first roll out of this mitigation was in late 2014 to help protect static code within Flash Player. In the first half of this year, we expanded our CFG usage to protect dynamic code generated by our Just-In-Time (JIT) compiler. In addition, Microsoft also worked with us to ensure that we could take advantage of the latest security controls for their new Edge browser."

However, security enhancements to the (still) ubiquitously used Adobe Flash Player and Acrobat Reader software has no doubt caused much anxiety in government intelligence circles and among hackers, both of whom had become used to exploiting the many security flaws in both pieces of software.

"Adobe added isolated heap to Flash. This month we pay $100K (with sandbox) and $65K (without sandbox) per #exploit bypassing this mitigation," tweeted Zerodium yesterday in response.

Zerodium was launched in July by the founder of Vupen Security, the controversial French information security company, which won first prize in the hacking contest Pwn2Own four years running, partly due to its use of purchased security flaws. Vupen's business model eschewed informing companies of security flaws and, instead, selling them on to the highest bidders.

Vupen had been a big provider of exploits to Hacking Team, the hacked security software company, which worked with governments on products that could help them hack people's computers. Vupen, however, ceased operations in May 2015 - not long after the attack that exposed Hacking Team's activities.