One of the exciting things about working on security at Google is that you have a lot of compute horsepower available if you need it. This is very useful if you’re looking to fuzz something, and especially if you’re going to use modern fuzzing techniques. ... We recently decided to apply the same techniques to fuzz Adobe’s Flash Player, which we include with Chrome in partnership with Adobe.
we cranked through 20 terabytes of SWF file downloads followed by 1 week of run time on 2,000 CPU cores to calculate the minimal set of about 20,000 files. Finally, those same 2,000 cores plus 3 more weeks of runtime were put to good work mutating the files in the minimal set (bitflipping, etc.) and generating crash cases. These crash cases included an interesting range of vulnerability categories, including buffer overflows, integer overflows, use-after-frees and object type confusions.
If Google wanted to spend a lot of effort just to hot-foot one of the harder working teams in software security they could indeed build a system whose primary function was to put pressure on Adobe.
I’m confused by the relationship between your statement and my imaginary HoneyFarm.
First, how would a system that searches for exploits in the wild then releases patches for those vulnerabilities have a primary purpose of “putting pressure on Adobe?” Its primary purpose is to protect the users of its products from an exploit.
Second, help me understand why I should care about how hard Adobe’s team works. Are you saying they deserve our sympathy? Or implying that since they are smart and working hard, we cannot expect any better results than they are getting?
The moment one of the vulnerabilities is found “in the wild," the patch is automatically pushed into the wild, Adobe be damned.