The work of Adobe, Google, Microsoft and others could go out the window if Zerodium gets what it wants

Jan 5, 2016 15:40 GMT  ·  By

Zerodium, the company that buys zero-day bugs from security researchers and then sells them forward to government intelligence agencies, has put out a new bounty, this time on Adobe's Flash Player.

Zerodium, who previously offered $1 million / €0.93 million to a security researcher for a zero-day bug in Apple's iOS 9 operating system, is now giving $100,000 / €93,000 to the first researcher who finds a similar zero-day bug capable of avoiding Flash's new isolated heap protection.

Flash's isolated heap protection silently added in December

Announced by Adobe at the start of December, isolated heap protection is a modern security technique that separates data processes inside the computer's memory.

Work on this feature was started in July with Flash Player version 18.0.0.209, when Google's Project Zero developers contributed a large chunk of code to have heap isolation supported in Flash.

Microsoft later helped as well, and by Flash's December release, Adobe had a proper implementation of heap isolation, one that could make the infosec community proud.

"This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities for exploitation," said Adobe in December.

Zerodium desperately needs a way around Flash's new security feature

As a testament to the high-quality collaborative work done on heap isolation stands Zerodium's recent zero-day bounty of $100,000. According to a price list the company published a few months back, security researchers submitting Flash zero-day bugs were only eligible to earn up to a maximum of $80,000 / €75,000. Apparently, heap isolation was deemed a serious issue by Zerodium's staff to warrant a $20,000 raise.

Following the Hacking Team data breach in June 2015, Adobe has been slowly but surely stepping up its security patching game and has started collaborating more with researchers in order to fix Flash's glaring security holes.

In 2015, according to statistics provided by CVE Details, security researchers disclosed 314 security vulnerabilities in Adobe Flash, ranking third behind Apple's OS X and iOS operating system.