There were three low-level defenses added in Flash Player 18.0.0.209, two of which block a technique that has been used by many Flash exploits since 2013.
The technique involves corrupting the length of an Action Script Vector buffer object so that malicious code can be placed at predictable locations in memory and executed. Action Script is the programming language in which Flash applications are written.
Google’s security engineers contributed a mitigation for this issue that Adobe Systems integrated into the latest Flash Player version. They call it “heap partitioning” and can be used to isolate different objects from one another in the heap. The heap is special region of the computer’s memory where programs store variables.
Adobe also developed and added its own mitigation for Vector buffer length corruptions that complements the one contributed by Google. Called Vector length validation, this mitigation works better on 32-bit version of Flash than Google’s defense and also covers more types of Vectors.
Finally, the new Flash Player update also improves the randomization of the Flash heap thanks to another contribution from Google, making exploitation harder.
For now this defense only exists in the Flash Player plug-in that uses the Pepper Plugin API (PPAPI), like the one bundled in Chrome. However, Adobe plans to add it to the other versions of the plug-in — the ones designed for Internet Explorer and Firefox — next month.
The Google researchers expect that attackers will work to find ways around these defenses, but for now the added protection is an important step for Flash Player’s security.
