Adobe squashes 35 critical vulnerabilities in security patch update

Arbitrary code execution issues have eclipsed other security problems in February’s patch round.
Written by Charlie Osborne, Contributing Writer

Adobe has released over 40 security fixes to address mainly critical vulnerabilities in software during this month's patch update. 

The majority of the fixes impact Adobe Framemaker, a document processor, according to a security advisory published on Tuesday. 

Adobe Framemaker versions 2019.0.4 and below on the Microsoft Windows operating system are impacted by a total of 21 vulnerabilities, all of which are considered critical -- the highest severity rating currently used. 

See also: Adobe launches Experience Platform out of Azure in Australia

Buffer errors, heap overflow problems, out-of-bounds write, and memory corruption issues are all included, any of which can lead to the execution of arbitrary code. 

Critical, important, and moderate security flaws have also been tackled in Adobe Acrobat DC, Reader DC, Acrobat / Reader 2017, and Acrobat / Reader 2015 on Windows and macOS.

In total, 12 critical vulnerabilities -- heap overflow, buffer errors, use-after-free flaws, and privilege escalation bugs -- have been squashed. These security issues, if exploited, can lead to arbitrary code execution and arbitrary file system writes. 

Adobe has also resolved three important out-of-bunds read problems leading to information disclosure and two moderate stack exhaustion vulnerabilities that could be exploited to cause memory leaks. 

There are two vulnerabilities of note that have been smoothed over this month in Adobe Digital Editions, version 4.5.11, on Windows machines. 

CNET: Protect privacy or pay the price of consumer techlash, report warns

The first, CVE-2020-3759, is an important buffer security flaw that can be exploited to cause information leaks. The second and more severe of the two, CVE-2020-3760, is a critical command injection issue that can be weaponized for arbitrary code execution. 

Adobe Flash Player has also appeared in the February security update. Versions and earlier on Windows, macOS, Linux, and Chrome OS are affected by CVE-2020-3757, a critical type confusion bug which, if exploited, can lead to the execution of arbitrary code. 

The tech giant has also released security hotfixes for Adobe Experience Manager, versions 6.4 and 6.5, on all platforms. The automatic update addresses CVE-2020-3741, a resource-draining bug which can cause denial-of-service. 

Adobe has thanked researchers from Trend Micro Zero Day, Qihoo 360 Technology, Topsec Alpha Team, Cisco Talos, McAfee, and others for reporting the security flaws. 

Microsoft's February Patch Tuesday was also vast, containing fixes for 99 vulnerabilities including a zero-day flaw impacting Internet Explorer. In total, 11 bugs were deemed critical. 

TechRepublic: PayPal tops the list of most impersonated brand in phishing attacks

On Tuesday, Adobe launched a new version of Adobe XD which includes support for macOS Voice Control in a boost to software accessibility. The feature will allow users to open and control Adobe XD using their voice rather than a trackpad or mouse. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards