Fortinet Security Researcher Discovers Multiple Critical Vulnerabilities in Adobe Flash Player

I discovered and reported multiple critical zero-day vulnerabilities in Adobe Flash Player last November. This Tuesday, Adobe released a security patch which fixed them. These vulnerabilities are identified as CVE-2017-2984, CVE-2017-2990, and CVE-2017-2991.  CVE-2017-2984 actually fixed three issues I reported because they have the same root cause. Due to the critical rating of these vulnerabilities, we suggest users apply the Adobe patchs as soon as possible.

Following is more details of these vulnerabilities.

CVE-2017-2984[1][2][3]

This is a heap overflow vulnerability that exists in the Flash Player h264 decoder. Specifically, a malformed MP4 file that contains images with a resolution smaller than specified causes this vulnerability. It results in an out of bounds memory access due to improper bounds checking when manipulating a pointer to a heap allocated buffer.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted MP4 file.

Fortinet previously released IPS signature Adobe.Flash.h264.Decoding.Heap.Overflow for this specific vulnerability to proactively protect our customers.

CVE-2017-2990

This is a memory corruption vulnerability existing in Flash Player h264 decompression. Specifically, a malformed MP4 file that contains a malformed ‘dref’ tag and malformed sample size associated with ‘stsz’ tag causes this vulnerability. It results in an out of bounds memory access, which sometimes triggers an access violation exception.

A remote attacker may be able to use a crafted MP4 file to exploit this vulnerability, thereby causing arbitrary code within the context of the application to execute.

Fortinet previously released IPS signature Adobe.Flash.MP4.H264.Decompression.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2017-2991

This is a memory corruption vulnerability existing in Flash Player h264 codec. Specifically, a malformed MP4 file that contains malformed YUV frame data causes this vulnerability. It causes an out of bounds memory access, which sometimes triggers an access violation exception.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted MP4 file.

Fortinet previously released IPS signature Adobe.Flash.H264.Codec.YUV.Memory.Corruption for this specific vulnerability to proactively protect our customers.