Zerodium is offering $100,000 / €93,000 to the first security researcher/security researcher/hacker, who finds a zero-day bug capable of avoiding Flash’s new isolated heap protection. Adobe had deployed Heap Isolation in Flash version 18.0.0209 a few months back, with an aim at making the Use-After-Free (UAF) vulnerabilities more difficult for cybercriminals to exploit.
— Zerodium (@Zerodium) January 5, 2016 Heap Isolation was announced by Adobe in December and is Adobe’s latest weapon against cyber criminals and hackers. Isolated heap protection is a modern security technique that separates data processes inside the computer’s memory. Adobe worked with Google’s Project Zero developers to develop this feature and it was implemented in the Flash Player version 18.0.0.209. “This change will limit the ability for attackers to effectively leverage use-after-free vulnerabilities for exploitation,” said Adobe in December. The heap isolation technique has been difficult to crack as seen from the bounty offered by Zerodium. According to a price list published by Zerodium, the max payout for Flash zero-days is $80000. So the $20000 increment in this latest bug bounty is a certificate of sorts for heap isolation technique. Adobe which has been a major victim of the Hacking Team data breach in June 2015, has taken steps to secure its ever flawed Flash Player.
