Adobe issues out-of-band patch to fix remote code execution flaw in animation software

Information leaks have also been patched up in Premiere Rush, Audition, and Premiere Pro.

With most of the staff teleworking, these are the CIO's new priorities
1:00

Adobe has released an out-of-band patch to tackle a remote code execution (RCE) flaw in Adobe Character Animator. 

On Tuesday, the company released a security advisory warning customers of CVE-2020-9586, a stack-based buffer overflow vulnerability that could lead to RCE attacks.

Adobe Character Animator on Windows and macOS machines, versions 3.2 and earlier, are vulnerable to the critical bug which has been issued a CVSS severity score of 7.8. 

See also: Adobe releases out-of-band patch for critical code execution vulnerabilities

While there are no reported cases of the security flaw being exploited in the wild, attackers could trigger an attack through persuading users to open a crafted, malicious document. It is also possible for this vulnerability to cause system crashes

A security update for Adobe Premiere Pro has also been made available. A fix has been issued to mitigate the risk of exploit by way of CVE-2020-9616, a vulnerability present in versions 14.1 and earlier of the software. 

Deemed important, the out-of-bounds read bug can be used for information disclosure on Windows and macOS systems. 

CNET: Huawei ban timeline: Chinese company criticizes 'pernicious' new US export controls

Alongside the Premiere Pro patch, Adobe Premiere Rush -- 1.5.8 and earlier versions -- and Adobe Audition -- versions 13.0.5 and earlier -- have also received software security updates. 

Rush is susceptible to CVE-2020-9617, an out-of-bounds read issue, whereas past editions of Audition are vulnerable to CVE-2020-9618, a separate out-of-bounds read flaw. Both bugs can be weaponized in attacks to create data leaks. 

Adobe credited Mat Powell of the Trend Micro Zero Day Initiative for reporting all of the vulnerabilities resolved in the latest security release.

TechRepublic: Productive pandemic: Searches for free online courses are up 309%

This is not the only out-of-band patch the company has released in addition to its general security schedule in recent times. In February, Adobe released an out-of-band patch that fixed two critical vulnerabilities in Media Encoder and After Effects that could be exploited to trigger code execution. 

Earlier this month, Adobe resolved 36 vulnerabilities in DNG, Reader, and Acrobat through the firm's standard monthly security update. The most severe issues could be used in remote code execution attacks.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0