Despite the relentless calls to end Flash Player, a company known for buying high-risk zero-day vulnerabilities has offered $100k for any working exploit that can bypass Flash Player’s Heap Isolation mitigation.
A little less than a month ago, Adobe announced it had rewritten its memory manager, laying the groundwork for fully deploying heap isolation, an important protection against Use-After-Free (UAF) vulnerability exploits. Adobe deployed Heap Isolation in version 18.0.0209.
Zerodium, is a French-based startup launched by Vupen, a company infamous for buying and selling high-risk zero-day exploits while leasing them to governments and private third-parties around the world.
Vulnerability firm Zerodium, who describes themselves as “the premium zero-day acquisition platform,” just recently made headlines last year when they paid $1 million for a vulnerability in iOS 9. The vulnerability in question allowed a remote browser-based and untehthered jailbreak for iOS 9.1/9.2b.
The use-after-free vulnerability is a memory corruption flaw that can be exploited to execute arbitrary code or even allow full remote code execution on the vulnerable system. Isolated Heap mitigation was designed to stop the usage issue of Use-After-Free exploitation.
Adobe’s implemented mitigation technique allocated a dedicated heap for selected critical objects to use, which is isolated from other heaps that users can directly access.
Isolated Heap prevents specific control of data, eliminating any factors the hacker had at corrupting memory.
Zerodium announced their massive bug bounty through Twitter, announcing the company is offering over one hundred thousands dollars in payouts for specific exploits.
One of the two is a $100,000 bounty for an exploit that bypasses heap isolation of Flash Player with a sandbox escape, and the second being a $65,000 bug bounty for an exploit that bypasses heap isolation of Flash Player without a sandbox escape.
Adobe added isolated heap to Flash. This month we pay $100K (with sandbox) and $65K (without sandbox) per #exploit bypassing this mitigation
— Zerodium (@Zerodium) January 5, 2016
Unlike the iOS 9 bounty, Zerodium does not appear to have a time-frame of when the exploit must be found. It instead appears it’s an open offer as long as the technique stands.
While researchers scour to find a zero-day vulnerability in Flash you can stay protected by uninstalling Adobe Flash entirely.