Adobe's latest round of security updates fixes severe bugs in Experience Manager, InDesign, and Framemaker.
The largest patch tackles Adobe Experience Manager (AEM) versions 18.104.22.168, 22.214.171.124, 126.96.36.199 and earlier, as well as 6.2 SP1-CFP20 and earlier. Versions of the AEM Forms add-on package Service Pack 5 and earlier are also affected.
Five critical vulnerabilities, including reflected and stored cross-site scripting issues, have been resolved in AEM. The bugs are tracked as CVE-2020-9732, CVE-2020-9734, CVE-2020-9740, CVE-2020-9741, and CVE-2020-9742.
Two of the security issues, CVE-2020-9732 and CVE-2020-9734, specifically relate to the Forms service pack.
Six other bugs, deemed important, have also been resolved in AEM. CVE-2020-9733 is described as an "execution with unnecessary privileges" issue that can lead to information disclosure if abused, whereas CVE-2020-9743 is a browser-based arbitrary HTML injection vulnerability.
Adobe has also updated a range of software dependencies, including Handlebars.js, Lodash.js, Log4j, and Dom4j.
In this month's security round, the software giant has patched a total of five vulnerabilities in Adobe InDesign. The bugs, impacting versions 15.1.1 and below, "could lead to arbitrary code execution in the context of the current user," according to Adobe.
Each security issue -- CVE-2020-9727, CVE-2020-9728, CVE-2020-9729, CVE-2020-9730, and CVE-2020-9731 -- is described as a memory corruption flaw.
Adobe Framemaker, a document processor for large documents, has also received a security update. Two critical vulnerabilities, an out-of-bounds read and stack-based buffer overflow issue (CVE-2020-9726, CVE-2020-9725), could lead to arbitrary code execution if exploited.
"While none of the vulnerabilities disclosed in Adobe's release are known to be actively attacked today, all patches should be prioritized on systems with these products installed," says Jimmy Graham, Senior Director of Product Management at Qualys.
The tech giant thanked researchers from Trend Micro and Fortinet's FortiGuard Labs for disclosing some of the security issues.
Adobe's last security patch, issued in September, tackled 26 critical and important bugs in Acrobat and Reader. In total, 11 could be used in remote code execution attack chains.
TechRepublic: How SMBs are overcoming key challenges in cybersecurity
Adobe Flash has been a frequent entrant to security update lists for many years. Microsoft, Adobe, Apple, Facebook, Google, and Mozilla intend to end support for the software by the end of 2020, and earlier this week, Microsoft clarified its timeline for removing Flash support for Microsoft Edge and Internet Explorer 11. After this time, Adobe will also no longer issue security fixes for the software.
In related news, Microsoft's latest round of security fixes resolved 129 vulnerabilities across 15 products, including 20 critical remote code execution flaws.
Previous and related coverage
- Adobe tackles critical code execution vulnerabilities in Acrobat, Reader
- Adobe issues emergency fixes for critical vulnerabilities in Photoshop, Bridge, Prelude
- Adobe issues out-of-band patch to fix remote code execution flaw in animation software
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0