Adobe has released an out-of-band patch tackling severe bugs found in Bridge, Illustrator, and Magento.
On Tuesday, the software giant released three separate security advisories addressing a total of 35 vulnerabilities, 25 of which are deemed critical. If exploited, the most severe bugs could lead to the execution of arbitrary code and information disclosure.
Adobe Bridge, an asset manager used in tandem with software including Photoshop, accounts for 14 of the critical bugs now resolved. Versions 10.0.4 and below on Windows and macOS machines are impacted by the security update.
The critical vulnerabilities tackled are CVE-2020-9555, a stack-based buffer overflow flaw, a pair of heap buffer overflow problems -- CVE-2020-9562 and CVE-2020-9563 -- a single memory corruption bug, CVE-2020-9568, two use-after-free problems, CVE-2020-9566 and CVE-2020-9567, and eight out-of-bounds write vulnerabilities (CVE-2020-9554, CVE-2020-9556, CVE-2020-9559, CVE-2020-9560, CVE-2020-9561, CVE-2020-9564, CVE-2020-9565, CVE-2020-9569).
If exploited by a threat actor, the security flaws can all be used to execute arbitrary code in the context of the current user.
The company also patched CVE-2020-9553, CVE-2020-9557, and CVE-2020-9558, important out-of-bounds read issues potentially leading to information disclosure.
Adobe Illustrator 2020, versions 24.0.2 and earlier on Windows machines, is the subject of the second security update.
CVE-2020-9570, CVE-2020-9571, CVE-2020-9572, CVE-2020-9573, and CVE-2020-9574, now resolved, are memory corruption issues that can be exploited in code execution attacks.
CNET: Coronavirus stimulus scams are here. How to identify these new online and text attacks
Adobe has also released a security advisory describing a swathe of patches for the Magento e-commerce platform.
The vulnerabilities impact Magento Commerce and Open Source (2.3.4 and earlier), Magento Enterprise Edition (18.104.22.168 and earlier) and Magento Community Edition (22.214.171.124 and earlier). In addition, Magento Commerce and Open Source versions 2.2.11 and earlier are affected, but it should be noted that Magento 2.2x reached end of support in 2019.
In total, Adobe has resolved 13 vulnerabilities, half of which are deemed critical whilst the rest are either important or moderate.
These include CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, and CVE-2020-9583, all of which are critical command injection flaws, and CVE-2020-9579, a critical security bypass issue. If exploited, each of these vulnerabilities can trigger arbitrary code execution.
Stored XSS, authorization bypass, and timing discrepancy problems have also been patched.
Adobe thanked a squadron of independent cybersecurity researchers, alongside those from organizations including the Trend Micro Zero Day Initiative and Fortinet's FortiGuard Labs for reporting the security issues.
Previous and related coverage
- This is how viewing a GIF in Microsoft Teams triggered account hijacking bug
- Adobe releases out-of-band patch for critical code execution vulnerabilities
- Adobe to Windows 10 users: Use this fix for critical file-deletion bug in Creative Cloud app
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0