Researchers at Trend Micro say the zero-day vulnerability patched Tuesday by Adobe Systems has a similar underlying cause as an older flaw.
On Tuesday, Adobe patched CVE-2015-3113 – a vulnerability in Adobe Flash Player being exploited in the wild by the attack group APT3.
“Our analysis of the current flaw reveals that the root cause of CVE-2015-3113 is similar to CVE-2015-3043,” blogged Trend Micro Threats Analyst Peter Pi. “Both cause a buffer overflow within the Flash Player code. In fact, code targeting the previous exploit can also cause crashes in version 18.0.0.160 (the version immediately before this emergency update).”
Both vulnerabilities can be used to run arbitrary code on targeted systems if they visit a site with a malicious Flash file. Both are also heap overflow vulnerabilities in the FLV audio parsing flow, reside in how Flash Player processes audio with the Nellymoser codec and can be triggered by modifying the FLV file’s audio tag, explained Pi.
“They both overflow a hardcoded length heap buffer with a length of 0x2000,” he wrote. “CVE-2015-3043 and CVE-2015-3113 both trigger this bug using sample_count * sample_size > 0x2000, and bypass the length check.”
Adobe patched CVE-2015-3043 in 17.0.0.169 by limiting the sample count acquired from the FLV audio tag. In version 18.0.0.160, the code underwent significant changes, Pi noted.
“The GetSampleCount function checks the final buffer size needed,” he explained. “If the final buffer size is larger than 0x2000, it will limit it to 0x2000. However, this ignores the Nellymoser decode function’s hardcoded double operation; this can be used to trigger a heap buffer overflow once again.”
According to Pi, both vulnerabilities “share the same underlying root cause.”
“This incident highlights how important careful development of patches is, to prevent patched bugs from being re-exploited at a later time,” Pi wrote. “Regression testing must also be a part of software development in order to check that old bugs do not threaten new versions of software.”
In a statement to SecurityWeek, Adobe said it performs regression testing as part of its standard testing process.
“As the Trend Micro article notes, CVE-2015-3113 and CVE-2015-3043 are similar, but different,” according to the company. “We will be performing a 0-day review on this issue to determine whether the regression test did not consistently reproduce the issue or whether there is another reason the similarity was not immediately noted and addressed.”