Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exploit Vendor Zerodium Puts $100,000 Bounty On Flash's New Security Feature (softpedia.com)

Posted by Soulskill on from the all-about-the-benjamins dept.

An anonymous reader writes: Zerodium, the company that buys zero-day bugs from security researchers and then sells them forward to government intelligence agencies, has put out a new bounty, this one on Adobe's Flash Player. The exploit vendor is offering $100,000 to the first researcher that finds a similar zero-day bug, capable of avoiding Flash's newly-released isolated heap memory protection feature. Previously, Zerodium offered $1 million to a security researcher for a zero-day bug in Apple's iOS 9 operating system.

31 of 57 comments (clear)

  1. Re:Moo by mark-t · · Score: 1

    How would their boss know?

    --
    File under 'M' for 'Manic ranting'
  2. Re:Slashtards... by mark-t · · Score: 1

    Does it matter which one?

    --
    File under 'M' for 'Manic ranting'
  3. The most value from such an exploit... by jtara · · Score: 2

    The most value from such an exploit...

    ... would be being able to accumulate a list of the users stupid enough to still have Flash installed! (Or allowing it to be run indiscriminately))

    (If you do have it, please use a flash blocker, so that you then only click on the button to run the flash on trusted sites.)

    1. Re:The most value from such an exploit... by jtara · · Score: 1

      ...because then you would have a list of gullible people.

    2. Re:The most value from such an exploit... by KGIII · · Score: 1

      Probably something like:

      sudo apt-get purge adobeflash* && sudo apt-get purge pepperflash*

      That should work. Close your browser while it runs, also check Google before running those but they should work on Mint.

      --
      "So long and thanks for all the fish."
  4. Re:Moo by mark-t · · Score: 1

    First of all, their boss would have no way to know what an employee can or cannot afford.... at least not legally.

    Secondly, not all people who would commit such an act are dumb enough to publicly flaunt illicitly acquired wealth.

    --
    File under 'M' for 'Manic ranting'
  5. Re:Uninstall Flash by epyT-R · · Score: 1

    That only leaves the gaping hole that is the browser's enabled javascript engine..

  6. Just imagine they had to pay $100k for _every_ bug by ffkom · · Score: 1

    ... in Flash that compromises security... they would be bankrupt within a week!

  7. click-to-play by jonwil · · Score: 1

    With all the security holes in Flash these days, I dont get why browsers haven't made "click to play" for flash videos the default. No flash videos would run unless you activated them.

    1. Re:click-to-play by wvmarle · · Score: 1

      I think this is because video is just one of the many uses of Flash. It would break, for example, the menus of many sites - albeit far less than it used to be nearly a decade ago when I first installed FlashBlock, there still are some around.

  8. Arms trafficking by Etherwalk · · Score: 4, Informative

    For all the ridiculous arms export regulations around encryption historically, this actually seems much more like serious arms sales. Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

    1. Re:Arms trafficking by jopsen · · Score: 1

      Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

      Adobe certainly has a standing... Considering that all the big corps feel they have standing when researchers publically share and discuss DRM.
      There is clearly no "fair use" or "public interest" argument to be made here, quite the opposite.

    2. Re:Arms trafficking by adolf · · Score: 2

      Meh.

      It's a lot like offering to pay someone who first figures out how to pick a new type of mechanical lock, and brokering that information to an interested third party.

      Is that -- should that -- be a crime?

      --
      Kid-proof tablet..
    3. Re:Arms trafficking by Lunix+Nutcase · · Score: 1

      You paid for Flash player?

    4. Re:Arms trafficking by robbak · · Score: 1

      Yes, unless the 'interested party' is the manufacturer, who will quickly recall the locks and replace them with secure ones.

      --
      Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
    5. Re:Arms trafficking by wvmarle · · Score: 1

      Wrong comparison.

      Even perfectly constructed mechanical locks requiring a mechanical key can be picked. Or otherwise broking using force. It may be hard to pick, it may need a lot of force, but they can be broken. This as mechanical locks are always approached physically.

      A perfect digital lock can only be broken by brute forcing the cryptographic key: trying again and again, trillions of times if needed. The digital lock of course can easily rate limit this to prevent even that attack, leaving it truly unbreakable. This unless the digital lock is approached physically, but that's not the question here, we're talking about remote access. Furthermore, stumbling upon the key to one of these locks leaves all others still locked - again assuming perfect design where all keys are truly random and different.

      Software like Flash should not even be compared to a lock, but to a prison cell. No way out. Perfect brick walls, extending all around you in all directions, no doors or windows or even the drain pipe of a loo. The problem now is of course that the wall Flash built has some bricks missing, and that's where there may be a way through that wall. Telling everyone which bricks are missing shouldn't be a crime - taking advantage of that information however may very well be.

    6. Re:Arms trafficking by adolf · · Score: 1

      As we learn over and over again, there is no such thing as a perfect digital lock: These can be picked just as carefully and undetectably as any mechanical lock.

      There's no need to pick out Flash here, as even OpenBSD is not immune to imperfection.

      --
      Kid-proof tablet..
    7. Re:Arms trafficking by wvmarle · · Score: 1

      Given enough time and effort, a digital lock could become perfect: no bugs left. Of course that's a lot of effort, yet it is what we should always aim for in software, and OpenBSD is doing a great job in that respect. It's as good as unbreakable.

  9. Re:Moo by mark-t · · Score: 1

    Actually, yes I have. But how many people I have met is irrelevant to the veracity of my statement. If all people were truly that dumb, then there would be no such thing as an unsolved crime because nobody would be smart enough to get away with doing anything illegal.

    --
    File under 'M' for 'Manic ranting'
  10. Re:Just imagine they had to pay $100k for _every_ by Penguinisto · · Score: 2

    Pretty sure they pocket at least 5-10x that $100k for every sale they make to a governmental organization...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  11. Re:Uninstall Flash by AHuxley · · Score: 1

    1+ for that suggestion. Remove the issue and enjoy the internet :)
    All the documents released or made public seem to show a huge trade in and demand for access into different OS.
    Stop using one of the sold and traded ways into modern OS's.

    --
    Domestic spying is now "Benign Information Gathering"
  12. Re:Slashtards... by mark-t · · Score: 1

    So.... yes? Okay, too bad. I'm pretty sure somebody could have claimed the hundred otherwise.

    --
    File under 'M' for 'Manic ranting'
  13. Re:Slashtards... by Zero__Kelvin · · Score: 1

    Give it up. Nobody is having sex with you, bounty or not.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  14. Re:Moo by mysidia · · Score: 1

    If all people were truly that dumb, then there would be no such thing as an unsolved crime because nobody would be smart enough to get away with doing anything illegal.

    What makes you think unsolved crimes are people getting away with things because they are smart?

    Perhaps they just got lucky, and the investigators missed or accidentally spoiled evidence that was sitting right in front of them.

    Also, perhaps they got away with it, because the team investigating their particular crime was so dumb and incompetent, and failed to investigate things they should, and/or lazy, because they reported the right lead as ruled out (based on fallacious thinking).

  15. Nice marketing Zerodumdum by Anonymous Coward · · Score: 1

    This is like their "we paid out (pinky in mouth) $1 million for an Apple iOS 9.1 bug".

    http://www.theinquirer.net/inquirer/news/2433087/zerodium-pays-out-usd1m-for-ios-91-untethered-jailbreak

    Except there's no evidence they did, but it was handy marketing for them. If they had, Apple could sue them and obtain the bug details (and $$$ in compensation) on a "tortuous interference in business" claim.

    So take it with a pinch of salt.

  16. Re:Moo by mark-t · · Score: 1

    Perhaps.... and while it is doubtlesss fair to acknowledge the existence of such incompetence, I believe it is gross underestimation of other people to assume that most who work at a technical company like Adobe are certain to be too clueless to realize that publicly flaunting wealth that might get a person in trouble with their boss is unwise.

    That level of intellectual vacuity is what you'd expect from a fictional character in a comedic situation where the audience or reader is expected to laugh at the character's outlandish stupidity behind the character's choices more than it is a realistic expectation of an actual member of society. While I won't dismiss that it's certainly possible... but I wouldn't expect it to be particularly likely.

    Please note, Gus Gorman from Superman 3 is *NOT* a typical example of an individual that pulls in a salary like that of an average Adobe employee.

    --
    File under 'M' for 'Manic ranting'
  17. Re:Moo by Incadenza · · Score: 1

    Secondly, not all people who would commit such an act are dumb enough to publicly flaunt illicitly acquired wealth.

    But some are. This just happened yesterday:

    A police spokesman said the two suspected Dutch traffickers - arrested at stunning five-star Santiago de Compostela hotel Hostal Dos Reis Catolicos on the city’s famous Obradoiro Square - had drawn attention to themselves by “throwing 500 euro notes around as if they were water.”

  18. Re:Uninstall Flash by ChoGGi · · Score: 1

    open chrome://plugins/ and disable it?

  19. Re: Slashtards... by monkeyhybrid · · Score: 1

    But in that situation, don't your beards act like some kind of velcro?

  20. Re:Slashtards... by cant_get_a_good_nick · · Score: 1

    Pay my wife? She'd love it....

  21. Re:Slashtards... by cant_get_a_good_nick · · Score: 1

    (rimshot)