Adobe patches 17 critical code execution bugs in Photoshop, Reader, Brackets

Other vulnerabilities resolved include privilege escalation and information leaks.
Written by Charlie Osborne, Contributing Writer

Adobe's December security release includes fixes for 17 critical vulnerabilities in software that could be exploited to trigger arbitrary code execution. 

As part of the software vendor's standard security schedule, vulnerabilities have been patched in Photoshop, Reader, Brackets, and ColdFusion.

In Adobe Photoshop CC, the firm's popular image editing software, Adobe resolved CVE-2019-8253 and CVE-2019-8254, critical memory corruption errors that could lead to the execution of arbitrary code. Versions 20.0.7 and earlier and 21.0.1 and earlier on Windows and macOS machines are impacted. 

The biggest batch of security updates revolves around Adobe Acrobat and Reader, versions 2015, 2017, and DC. 

In total, 14 vulnerabilities affecting the software are considered critical issues. CVE-2019-16450 and CVE-2019-16454 are out-of-bounds write flaws; CVE-2019-16445, CVE-2019-16448, CVE-2019-16452, CVE-2019-16459, and CVE-2019-16464 are use-after-free bugs; while CVE-2019-16446, CVE-2019-16455, CVE-2019-16460, and CVE-2019-16463 are untrusted pointer dereference issues. 

Additionally, a heap overflow problem, CVE-2019-16451, a buffer error, CVE-2019-16462, and a security bypass -- CVE-2019-16453 -- impacting the software have been resolved. 

See also: Adobe squashes critical vulnerabilities in Illustrator CC, Media Encoder

Should any of these vulnerabilities be exploited by attackers, they can trigger arbitrary code execution.

In addition, Adobe squashed six out-of-bounds read problems leading to data leaks, deemed important (CVE-2019-16449, CVE-2019-16456, CVE-2019-16457, CVE-2019-16458, CVE-2019-16461, CVE-2019-16465) and another bug of the same severity, CVE-2019-16444, described as a default folder privilege escalation issue. 

Adobe Brackets, source code editing software for web design and development, has also received a fix for one critical vulnerability. Impacting Windows, Linux, and macOS systems, Brackets versions 1.14 and earlier are susceptible to CVE-2019-8255, a command injection flaw that could be exploited for arbitrary code execution.

The software vendor also released an update for 2018's ColdFusion, resolving an insecure inherited permissions bug leading to privilege escalation. Tracked as CVE-2019-8256, this security flaw is deemed important. 

CNET: Google Chrome can now warn you in real time if you're getting phished

Adobe thanked researchers from Google Project Zero, the Secure D Center Research Team, FortiGuard Labs, Palo Alto Networks, Baidu Security Lab, and Cisco Talos for reporting the vulnerabilities, among others.

On Patch Tuesday, Microsoft released security fixes resolving 36 vulnerabilities, including a zero-day bug actively being exploited in the wild. The zero-day privilege escalation flaw, discovered by Kaspersky, occurs due to the Win32k component's failure to properly handle memory objects. 

Kaspersky says the bug has been utilized in "Operation WizardOpium" attacks, although no specific threat actors have been linked to the findings. 

TechRepublic: How to use the Firefox Lockwise password manager

In November, Adobe patched vulnerabilities in four products -- Adobe Media Encoder, Illustrator CC, Adobe Bridge CC, and Adobe Animate CC -- and while the security update was relatively small, the worst of the security flaws could have resulted in code execution attacks.

Adobe also warned customers in the same month that support for Adobe Acrobat and Reader 2015 will end on April 7, 2020. The software giant often ends support after five years of general availability.

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards