Update 21st February 2016:
In late December 2015 Adobe discussed in a blog post the increasing use of extra security mitigations (defined within this post) being added to Flash Player as a result of their work with the Google Project Zero team and Microsoft’s research team.
Adobe are gradually introducing these mitigations to allow for feedback/suggestions to be used to improve the newly added and soon to be added mitigations. Moreover, by continually changing the code of Flash Player by adding these security features as Adobe points out makes it harder for attackers to obtain consistently working exploits for use within exploit kits (defined).
As discussed in a previous blog post mitigations were added to Vector objects to make exploiting use-after-free (defined) vulnerabilities more difficult. This work has been extended to ByteArrays. Adobe also extended their heap isolation (more information in this post) work in December’s Flash Player update.
In addition, in mid-2015 Adobe added Control Flow Guard (CFG) (defined) protection to protect the code generated by their Just-In-Time (JIT) compiler (defined). As I mentioned in a previous post, CFG was added to Flash Player in 2014 and a bypass was quickly found. I’m not stating that CFG protection isn’t worthwhile just that like any security technology it is not perfect but does add extra effort on the part of the attacker to bypass making it a worthy/welcome addition.
In Adobe’s conclusion of their post they mention that further improvements will be made available in 2016. I will update this post as those security improvements become available.
On the 10th of November Adobe released a security update for Flash Player to address 17 security issues (CVEs, defined). Among these issues was a use-after free (defined) issue (designated CVE-2015-7663) responsibly disclosed (defined) to Adobe by security firm Endgame.
Endgame have since detailed in a blog post 2 new techniques/defensive measures that they have developed with a view to have these included in future versions of Flash Player.
How Do These New Techniques Work?
While Adobe’s recently added security mitigations (defensive measures used to harden against attack) focus on a commonly used object (Vector. Objects) within the ActionScript language used by Flash Player. This type of object is only one class of object and as Endgame mentions attackers will simply move on to find another type of object that does not include such defenses and work to exploit it (indeed attackers have developed a bypass to the security mitigations introduced by Adobe earlier this year which has been analysed by Trend Micro).
Endgame’s approach is to apply heap (defined) isolation to as many objects as possible rather than commonly exploited objects. A use-after-free issue relies on the fact that an attacker can place an object of their choice into the space/gap in computer memory that was previously allocated for another object and direct the target program/application to access that specifically placed object. The isolation mitigation developed by Endgame seeks to only allow the attacker to re-allocate the original object rather than one of their choice which breaks the principle behind a use-after-free issue rendering it ineffective for exploitation.
Since Flash Player incorporates commonly used defences such as DEP and ASLR (references discussing DEP are provided here (see “References” at the end of the post), while ASLR is discussed here and here (see “References” at the end of the post)) attackers generally seek to bypass these mitigations using a technique known as Return Oriented Programming (ROP)(defined).
However, to do this the attackers must change the sequence of steps being carried out by the target application. For example, instead of carrying out instructions 1, 2 and 3, the attackers will have the program jump within the program (similar to jumping position to the front of a queue of people so that you are next to be served) to instructions of the attacker’s choice.
Moreover, Endgame has developed a technique to detect when this jump is carried out without the need for making extensive changes to the target program/application. When such a jump is detected, a message can be displayed allowing the person using the computer to abort what the program is doing or to continue. This technique is similar in approach to Control Flow Guard (CFG) introduced by Microsoft with Visual Studio 2015. CFG was discussed in a past blog post of mine.
As mentioned at the end of my previous blog post on Adobe Flash Player mitigations it is always welcome to see such improvements being made in an effort to thwart attackers since it raises the bar/standard attackers must use to successfully compromise their intended targets.
I very much hope that these mitigations are effective (if only for a short time against attackers). As before, I don’t mean this is in an offensive manner, no mitigation is perfect and these new mitigations were designed to make it harder not impossible for exploits occur (as mentioned by Trend Micro at the end of a blog post written last month).