Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Adobe Illustrator was hit the hardest.
There are 16 critical bugs, all of which allow arbitrary code execution in the context of the current user. They affect Adobe Illustrator, Adobe Animate, Adobe After Effects, Adobe Photoshop, Adobe Premiere Pro, Adobe Media Encoder, Adobe InDesign and the Adobe Creative Cloud Desktop Application.
Many of the issues concern uncontrolled search-path elements, but there are also out-of-bounds problems, memory-corruption issues and a cross-site scripting (XSS) bug.
“Arbitrary code execution vulnerabilities are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems,” Jay Goodman, strategic product marketing manager at Automox, told Threatpost. “Coupled with the fact that these vulnerabilities are in critical technologies like Marketo and most of the Adobe Creative Cloud applications, this could leave sensitive marketing data and creative IP exposed to destruction or IP theft by potential adversaries. Organizations should move to quickly patch these vulnerabilities within the 72-hour window [we recommend] in order to minimize exposure and maintain a high level of cyber-hygiene.”
Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang working with Trend Micro Zero Day Initiative is credited for the discoveries.
“All of these vulnerabilities occur within the processing of PDF files by Illustrator,” Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, told Threatpost. “In all three cases, an attacker can leverage the vulnerabilities to execute code in the context of the current process.”
For the out-of-bounds read bugs, “Illustrator does not properly validate user-supplied data, which can result in a read past the end of an allocated structure,” he explained.
Meanwhile, the out-of-bounds write bug “occurs because Illustrator does not properly validate user-supplied data, which can result in a write past the end of an allocated structure,” Childs said.
Meanwhile, the other four Illustrator bugs are due to memory corruption (CVE-2020-24412, CVE-2020-24413,CVE-2020-24414, CVE-2020-24415), and Honggang Ren of Fortinet’s FortiGuard Labs was given the hat-tip for these.
Ren is also credited with finding an out-of-bounds read problem (CVE-2020-24418) in After Effects for Windows (17.1.1 and earlier versions).
Meanwhile, Animate for Windows (20.5 and earlier versions) contains a double-free bug (CVE-2020-9747); a stack-based buffer overflow issue (CVE-2020-9748); and two out-of-bounds reads (CVE-2020-9749 and CVE-2020-9750).
Kexu Wang of Fortinet’s FortiGuard Labs is credited with finding the issues. Wang is also credited with finding a memory-corruption bug (CVE-2020-24421) afflicting InDesign for Windows (15.1.2 and earlier versions).
Meanwhile, Hou JingYi of Qihoo 360 CERT found four critical uncontrolled search-path element bugs, including in:
Users can update their software installations via the Creative Cloud desktop app updater, or by navigating to the application’s Help menu and clicking “Updates.”
Speaking of Creative Cloud, the Creative Cloud Desktop Application Installer for Windows (5.2 and earlier versions for the older product and 2.1 and earlier versions for the new installer) also has an uncontrolled search-path element bug (CVE-2020-24422) – this one uncovered by Dhiraj Mishra.
Adobe Dreamweaver 20.2 and earlier versions for Windows and macOS contains an uncontrolled search-path element bug that could allow privilege escalation (CVE-2020-24425). The flaw also affects libCURL dependencies in Dreamweaver 20.1 and earlier.
The out-of-band patches follow the disclosure of just one vulnerability in October as part of Adobe’s regularly scheduled patches (markedly less than the 18 flaws addressed during its September regular update).
That was a critical bug in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems (CVE-2020-9746). If successfully exploited, it could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.
Also this month, Adobe announced two critical flaws (CVE-2020-24407 and CVE-2020-24400) in Magento – Adobe’s e-commerce platform that is commonly targeted by attackers like the Magecart threat group. They could allow arbitrary code execution as well as read or write access to the database.
Adobe says the two critical flaws (CVE-2020-24407 and CVE-2020-24400) could allow arbitrary code execution as well as read or write access to the database.
There were 11 critical bugs and six that were unpatched but publicly known in this month’s regularly scheduled Microsoft updates.
The flaw stems from a NULL Pointer Dereference error and plagues the Windows, macOS, Linux and ChromeOS versions of Adobe Flash Player.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
Adobe, Adobe Creative Cloud, Adobe MAX, Collaboration
World news – THAT – Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio