Adobe has released an out-of-band patch to tackle a remote code execution (RCE) flaw in Adobe Character Animator.
On Tuesday, the company released a security advisory warning customers of CVE-2020-9586, a stack-based buffer overflow vulnerability that could lead to RCE attacks.
Adobe Character Animator on Windows and macOS machines, versions 3.2 and earlier, are vulnerable to the critical bug which has been issued a CVSS severity score of 7.8.
While there are no reported cases of the security flaw being exploited in the wild, attackers could trigger an attack through persuading users to open a crafted, malicious document. It is also possible for this vulnerability to cause system crashes.
A security update for Adobe Premiere Pro has also been made available. A fix has been issued to mitigate the risk of exploit by way of CVE-2020-9616, a vulnerability present in versions 14.1 and earlier of the software.
Deemed important, the out-of-bounds read bug can be used for information disclosure on Windows and macOS systems.
Alongside the Premiere Pro patch, Adobe Premiere Rush -- 1.5.8 and earlier versions -- and Adobe Audition -- versions 13.0.5 and earlier -- have also received software security updates.
Rush is susceptible to CVE-2020-9617, an out-of-bounds read issue, whereas past editions of Audition are vulnerable to CVE-2020-9618, a separate out-of-bounds read flaw. Both bugs can be weaponized in attacks to create data leaks.
Adobe credited Mat Powell of the Trend Micro Zero Day Initiative for reporting all of the vulnerabilities resolved in the latest security release.
This is not the only out-of-band patch the company has released in addition to its general security schedule in recent times. In February, Adobe released an out-of-band patch that fixed two critical vulnerabilities in Media Encoder and After Effects that could be exploited to trigger code execution.
Earlier this month, Adobe resolved 36 vulnerabilities in DNG, Reader, and Acrobat through the firm's standard monthly security update. The most severe issues could be used in remote code execution attacks.
Previous and related coverage
- Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat
- Adobe to Windows 10 users: Use this fix for critical file-deletion bug in Creative Cloud app
- Adobe squashes 35 critical vulnerabilities in security patch update
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0