Adobe Systems Inc. probably can’t help thinking these days that “no news” is “good news”. The security of its Adobe Flash Player has become a complete fiasco – it’s an abject failure, and untold scores of data are at risk from the numerous vulnerabilities in its software. So bad have things gotten that tech giants like Facebook and Mozilla are openly calling for its eradication.

But that’s not likely to happen, thanks to a helping hand lent by another tech giant. Google’s security experts have stepped in to help Adobe prop up its Flash Player with a number of security enhancements that’ll hopefully deter some of the miscreants from exploiting the vulnerable plug in.

Google says it hopes the new mechanisms its introduced will be able to thwart most attempts at exploiting bugs in Flash. The measures aren’t perfect, but with Adobe unable to find every zero-day bug in its code and the large number of reported attacks, they’re still a welcome improvement.

The weaknesses in Flash are numerous, but the most common bugs include what are called use-after-free (UAF) memory vulnerabilities. Adobe has patched 38 different Common Vulnerabilities and Exposures (CVEs) in the last month, three of them described as zero-day exploits that were discovered by Italy’s Hacking Team.

However, it’s not Adobe but Google who’s actually discovered the most exploits in Flash recently. According to Adobe, Google’s Project Zero security team found 20 of these CVEs. But rather than just report the bugs to Adobe and leave it there, Google went further and also helped the company to remediate them. These bugs have now been mitigated against in the latest Flash v18.0.0.209 update.

Google’s Mark Brand and Chris Evans revealed exactly what they’ve done in a technical blog post. Essentially, they’ve set up protection against a common class of UAF exploits that exploit vulnerabilities in memory. Google’s team used a number of techniques, including one known as “heap partitioning”.

“Heap partitioning is a technique that isolates different types of objects on the heap from one another,” Google’s engineers wrote. “Chrome uses heap partitioning extensively, and it has become a common defensive technique in multiple browsers. We have now introduced this technology into Flash.”

Google has also helped Adobe to improve randomization of the Flash memory heap. Memory randomization is a technique that’s seen considerable success on Windows operating systems, where it’s called “address space layout randomization (ASLR)”. Google said it’s used the same technique to bolster Flash’s memory in a more randomized way than what operating systems do on their own.

Brand and Evans said that despite these mitigations, they’re embroiled in an endless game of cat-and-mouse with attackers who’ll likely try to come up with counter-mitigations of their own.

But they warned: “We’ll be looking out for attackers’ attempts to adapt, and devising further mitigations based on what we see. Perhaps more importantly, we’re also devising a next level of defenses based on what we expect we might see.”

What with the Chrome browser directly integrating Flash, it makes sense that Google would want to help make the technology more secure. A Flash vulnerability does make Chrome users vulnerable after all, but it’s still interesting that Google has stepped in to prop things up, rather than join in with Mozilla and Facebook in blocking the plugin and calling for its demise.

Photo Credit: Defence Images via Compfight cc