Zerodium is offering up to $100,000 as a reward for researchers who submit exploits able to bypass Adobe’s recent isolated heap changes to Flash.
Adobe Flash has never been the most secure software and is well-known as vulnerable software which, if left unpatched, can act as a pathway for cybercriminals to compromise PC systems.
However, due to the popularity of web content player, few disable or uninstall the software — and this persistent use has led to the development of malware which exploits vulnerabilities within Flash, as well as a regular patch update cycle issued by Adobe to fix fresh security problems.
In recent weeks, Adobe has attempted to improve Flash’s security profile by altering the program’s structure and deploying heap isolation in Flash version 18.0.0209. Originally, Flash relied upon a single heap for ActionScript objects, which gave attackers the opportunity to target vector objects and take advantage of use-after-free (UAF) vulnerabilities with relative ease.
Exploits which take advantage of UAF can result in memory corruption and in severe cases, remote code execution.
Zerodium wants to circumvent these changes. On Tuesday, the exploit buyer announced via Twitter a new addition to its buy bounty program — a way to get around Flash’s isolated heap mitigation. Zerodium is offering researchers $100,000 for a working exploit — with a sandbox escape — and $65,000 without a sandbox escape for each individual exploit submitted.
Zerodium calls itself a “premium exploit acquisition platform,” and is constantly on the lookout for zero-day exploits which target popular software and operating systems, such as Microsoft Windows, Apple OSX, Google Chrome and Android.
The company offers financial rewards of up to $500,000 for novel attacks, and is willing to pay even more for “exceptional” exploits.
In November, Zerodium paid a group of hackers $1 million after launching a competition to find a remote exploit for Apple’s latest mobile operating system, iOS 9.
In December, Adobe issued a massive patch update which addressed 78 CVE vulnerabilities in Flash Player, seven of which were deemed high-risk.