Adobe fixes critical code execution vulnerabilities in 2021's first major patch round

Seven different products have received fixes during January’s security update.
Written by Charlie Osborne, Contributing Writer

Adobe's first major batch of security updates in 2021 resolves seven critical bugs that can lead to code execution. 

On Tuesday, the tech giant released separate security advisories describing the vulnerabilities now resolved in seven products. The impacted software is Photoshop, Illustrator, Animate, Bridge, InCopy, Captivate, and Campaign Classic. 

The first security fix has been applied to the Photoshop image creation software on Windows and macOS machines. Tracked as CVE-2021-21006, the critical heap-based buffer overflow bug can be abused to trigger arbitrary code execution.  

Adobe Illustrator, on Windows PCs, is the subject of the firm's second patch. The critical bug, CVE-2021-21007, is described as an uncontrolled search path element error that can also lead to code execution. 

The third critical problem, discovered in Adobe Animate on Windows machines, is the same kind of security flaw resulting in the same consequences. This vulnerability is tracked as CVE-2021-21008. 

Adobe Bridge, used to port and switch content between different forms of creative software -- such as between Photoshop and Lightroom -- is subject to a fix for CVE-2021-21012 and CVE-2021-21013, critical out-of-bounds write flaws leading to arbitrary code execution. 

Another uncontrolled search path element vulnerability was found in Adobe InCopy, tracked as CVE-2021-21010. This critical bug can also be weaponized for malicious code execution. 

In Adobe Campaign Classic, on Windows and Linux PCs, the company has tackled CVE-2021-21009, a critical server-side request forgery (SSRF) flaw that can be exploited for the purpose of sensitive information disclosure. 

A hotfix has also been issued for CVE-2021-21011, an uncontrolled search path element bug, deemed "important," that was found in Windows-based versions of Adobe Captivate. If exploited, the vulnerability can lead to privilege escalation. 

It is recommended that users accept automatic updates where appropriate to update their builds and stay protected. 

Adobe thanked researchers from the nsfocus security team, Qihoo 360 CERT, Decathlon, Trend Micro's Zero Day Initiative, and both Jamie Parfet and Saurabh Kumar for reporting the issues now resolved in the patch round. 

In December's security update, the tech giant patched critical vulnerabilities in Adobe Lightroom, Prelude, and Experience Manager. 

Earlier this week, Adobe warned that the company has started to block Flash content worldwide in a bid to urge users to uninstall the software. 

While Flash was once a popular method to display animated content, the software is known for being riddled with security holes. As software best left as an artifact of 2000s website development, the company will no longer issue security fixes or updates. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards