Published on June 24, 2015

Adobe Flash CVE-2015-3113 0-day

Adobe released in April 2015 an update to patch CVE-2015-3043 that was being exploited actively in the wild by (but not only) threat actor APT28 during the operation RussianDoll. The vulnerability was a heap overflow in the FLV audio parsing engine, in particular the culprit was a hardcoded heap buffer length of 0x2000 bytes, the attackers simply had to provide a source capable of bypassing the length check and overwrite a buffer with more than 0x2000 bytes.

On June the 23rd Adobe released another patch to address a new vulnerability that was assigned the ID CVE-2015-3113. Flash’s vulnerabilities are far from being uncommon but this new patch has basically been released to address a vulnerability that was, ultimately, already patched.
During the previous patch the audio parsing engine was fixed to accept only buffer length <= 0x2000 bytes, this should have been enough:
But, as pointed out by TrendMicro, the Nellymoser codec uses an hardcoded doubling operation, shown here:
While the check works fine for all the other codecs, in the case of Nellymoser there is an expansion factor of 2x that is still capable of triggering the very same vulnerability. Of course it’s not the first time that we encounter an exploit that reuses an old vulnerability, most of the times this type of mistakes can be prevented with proper regression tests, but for maximum security, where applicable it’s a good idea to keep flash disabled. After all Flash is still the most commonly exploited component both by threat actors and exploit kits.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!