Exploit Vendor Zerodium Puts $100,000 Bounty On Flash's New Security Feature

An anonymous reader writes: Zerodium, the company that buys zero-day bugs from security researchers and then sells them forward to government intelligence agencies, has put out a new bounty, this one on Adobe's Flash Player. The exploit vendor is offering $100,000 to the first researcher that finds a similar zero-day bug, capable of avoiding Flash's newly-released isolated heap memory protection feature. Previously, Zerodium offered $1 million to a security researcher for a zero-day bug in Apple's iOS 9 operating system.

Re:

[mark-t]

Does it matter which one?

Re:

[mark-t]

So.... yes? Okay, too bad. I'm pretty sure somebody could have claimed the hundred otherwise.

Re:

[monkeyhybrid]

But in that situation, don't your beards act like some kind of velcro?

Re:

[Zero__Kelvin]

Give it up. Nobody is having sex with you, bounty or not.

Re:

[cant_get_a_good_nick]

Pay my wife? She'd love it....

Re:

[cant_get_a_good_nick]

(rimshot)

Moo

[sexconker]

Time to make friends with someone who works at Adobe then. An easy $50,000 sounds nice.

Re:

[mark-t]

How would their boss know?

Re:

[mark-t]

First of all, their boss would have no way to know what an employee can or cannot afford.... at least not legally.

Secondly, not all people who would commit such an act are dumb enough to publicly flaunt illicitly acquired wealth.

Re:

[mark-t]

Actually, yes I have. But how many people I have met is irrelevant to the veracity of my statement. If all people were truly that dumb, then there would be no such thing as an unsolved crime because nobody would be smart enough to get away with doing anything illegal.

Re:

[mysidia]

If all people were truly that dumb, then there would be no such thing as an unsolved crime because nobody would be smart enough to get away with doing anything illegal.

What makes you think unsolved crimes are people getting away with things because they are smart?

Perhaps they just got lucky, and the investigators missed or accidentally spoiled evidence that was sitting right in front of them.

Also, perhaps they got away with it, because the team investigating their particular crime was so dumb and inco

Re:

[mark-t]

Perhaps.... and while it is doubtlesss fair to acknowledge the existence of such incompetence, I believe it is gross underestimation of other people to assume that most who work at a technical company like Adobe are certain to be too clueless to realize that publicly flaunting wealth that might get a person in trouble with their boss is unwise.

That level of intellectual vacuity is what you'd expect from a fictional character in a comedic situation where the audience or reader is expected to laugh at the

Re:

[Incadenza]

Secondly, not all people who would commit such an act are dumb enough to publicly flaunt illicitly acquired wealth.

But some are. [mirror.co.uk] This just happened yesterday:

A police spokesman said the two suspected Dutch traffickers - arrested at stunning five-star Santiago de Compostela hotel Hostal Dos Reis Catolicos on the city’s famous Obradoiro Square - had drawn attention to themselves by “throwing 500 euro notes around as if they were water.”

the reason is???

[FudRucker]

i seem to get the hint that adobe flash vulnerabilities is used as a backdoor to gain access to people's computers???

The most value from such an exploit...

[jtara]

The most value from such an exploit...

... would be being able to accumulate a list of the users stupid enough to still have Flash installed! (Or allowing it to be run indiscriminately))

(If you do have it, please use a flash blocker, so that you then only click on the button to run the flash on trusted sites.)

Re:

[jtara]

...because then you would have a list of gullible people.

Re:

[KGIII]

Probably something like:

sudo apt-get purge adobeflash* && sudo apt-get purge pepperflash*

That should work. Close your browser while it runs, also check Google before running those but they should work on Mint.

Re:

[epyT-R]

That only leaves the gaping hole that is the browser's enabled javascript engine..

Re:

[ChoGGi]

open chrome://plugins/ and disable it?

Re:

[AHuxley]

1+ for that suggestion. Remove the issue and enjoy the internet :)
All the documents released or made public seem to show a huge trade in and demand for access into different OS.
Stop using one of the sold and traded ways into modern OS's.

Just imagine they had to pay $100k for _every_ bug

[ffkom]

... in Flash that compromises security... they would be bankrupt within a week!

Re:

[Penguinisto]

Pretty sure they pocket at least 5-10x that $100k for every sale they make to a governmental organization...

click-to-play

[jonwil]

With all the security holes in Flash these days, I dont get why browsers haven't made "click to play" for flash videos the default. No flash videos would run unless you activated them.

Re:

[wvmarle]

I think this is because video is just one of the many uses of Flash. It would break, for example, the menus of many sites - albeit far less than it used to be nearly a decade ago when I first installed FlashBlock, there still are some around.

Arms trafficking

[Etherwalk]

For all the ridiculous arms export regulations around encryption historically, this actually seems much more like serious arms sales. Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

Re:

[jopsen]

Explicitly selling vulnerabilities, other than in a bug bounty program, is organized crime.

Adobe certainly has a standing... Considering that all the big corps feel they have standing when researchers publically share and discuss DRM.
There is clearly no "fair use" or "public interest" argument to be made here, quite the opposite.

Re:

[Lunix Nutcase]

You paid for Flash player?

Re:

[adolf]

Meh.

It's a lot like offering to pay someone who first figures out how to pick a new type of mechanical lock, and brokering that information to an interested third party.

Is that -- should that -- be a crime?

Re:

[robbak]

Yes, unless the 'interested party' is the manufacturer, who will quickly recall the locks and replace them with secure ones.

Re:

[wvmarle]

Wrong comparison.

Even perfectly constructed mechanical locks requiring a mechanical key can be picked. Or otherwise broking using force. It may be hard to pick, it may need a lot of force, but they can be broken. This as mechanical locks are always approached physically.

A perfect digital lock can only be broken by brute forcing the cryptographic key: trying again and again, trillions of times if needed. The digital lock of course can easily rate limit this to prevent even that attack, leaving it truly unbre

Re:

[adolf]

As we learn over and over again, there is no such thing as a perfect digital lock: These can be picked just as carefully and undetectably as any mechanical lock.

There's no need to pick out Flash here, as even OpenBSD is not immune to imperfection.

Re:

[wvmarle]

Given enough time and effort, a digital lock could become perfect: no bugs left. Of course that's a lot of effort, yet it is what we should always aim for in software, and OpenBSD is doing a great job in that respect. It's as good as unbreakable.

Nice marketing Zerodumdum

[Anonymous Coward]

This is like their "we paid out (pinky in mouth) $1 million for an Apple iOS 9.1 bug".

http://www.theinquirer.net/inquirer/news/2433087/zerodium-pays-out-usd1m-for-ios-91-untethered-jailbreak

Except there's no evidence they did, but it was handy marketing for them. If they had, Apple could sue them and obtain the bug details (and $$$ in compensation) on a "tortuous interference in business" claim.

So take it with a pinch of salt.