Another month, another double digit set of vulnerabilities patched in Adobe’s much maligned Flash technology. Time and again, Flash is identified as a top path to exploration and a favored attack vector of multiple exploit kits, including the popular Angler kit.
The 17 CVEs in the November update include various classes of vulnerabilities, including type confusion and use-after-free memory related corruption issues. In fact, use-after-free accounts for 15 of the 17 issues patched including: CVE-2015-7651, CVE-2015-7652, CVE-2015-7653, CVE-2015-7654, CVE-2015-7655, CVE-2015-7656, CVE-2015-7657, CVE-2015-7658, CVE-2015-7660, CVE-2015-7661, CVE-2015-7663, CVE-2015-8042, CVE-2015-8043, CVE-2015-8044, CVE-2015-8046.
Adobe credits HP’s Zero Day Initiative (ZDI) with reporting 12 of the 17 issues, with four issues reported by Natalie Silvanovich of Google’s Project Zero and a single issue reported by security vendor Endgame.
ZDI has been aggressively reporting security issues in Adobe’s technologies throughout 2015. In August ZDI reported that it had found 100 security issues in Adobe’s Reader technologies. ZDI’s researchers have also been working on helping multiple vendors learn how to better mitigate use-after-free memory errors, which are common across multiple classes of application software.
ZDI is currently in a state of transition, however, as the security research unit is part of Hewlett-Packard’s sale of TippingPoint to Trend Micro for $300 million.
Google has been actively helping Adobe secure Flash. In July Adobe patched Flash for 38 vulnerabilities, 20 of which were reported by Google. Google isn’t just reporting vulnerabilities, but is also helping Adobe develop mitigation that reduces the risks of certain types of attack vectors.
ZDI and Google aren’t the only ones working on Flash security mitigations. Endgame is credited with reporting CVE-2015-7663, also a use-after-free memory vulnerability, in the November update.
“The vulnerability exists due to the improper tracking of freed allocations associated with a ‘Renderer’ object when handling multiple progress bar additions,” Endgame researcher Cody Pierce blogged.
To help defend against use-after-free, Endgame is introducing the concept of control flow integrity (CFI).
“Whereas heap isolation can be very effective at preventing successful exploitation, a CFI-based approach additionally allows us to detect active exploitation attempts since we are inspecting and validating when control flow –- the path that an application executes — has changed,” Pierce stated.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.