Adobe patches critical code, corruption bugs across Bridge, Illustrator, Magento

The company has squashed a range of critical flaws leading to arbitrary code execution.
Written by Charlie Osborne, Contributing Writer

Adobe has released an out-of-band patch tackling severe bugs found in Bridge, Illustrator, and Magento.

On Tuesday, the software giant released three separate security advisories addressing a total of 35 vulnerabilities, 25 of which are deemed critical. If exploited, the most severe bugs could lead to the execution of arbitrary code and information disclosure. 

Adobe Bridge, an asset manager used in tandem with software including Photoshop, accounts for 14 of the critical bugs now resolved. Versions 10.0.4 and below on Windows and macOS machines are impacted by the security update

The critical vulnerabilities tackled are CVE-2020-9555, a stack-based buffer overflow flaw, a pair of heap buffer overflow problems -- CVE-2020-9562 and CVE-2020-9563 -- a single memory corruption bug, CVE-2020-9568, two use-after-free problems, CVE-2020-9566 and CVE-2020-9567, and eight out-of-bounds write vulnerabilities (CVE-2020-9554, CVE-2020-9556, CVE-2020-9559, CVE-2020-9560, CVE-2020-9561, CVE-2020-9564, CVE-2020-9565, CVE-2020-9569). 

See also: Adobe squashes 35 critical vulnerabilities in security patch update

If exploited by a threat actor, the security flaws can all be used to execute arbitrary code in the context of the current user. 

The company also patched CVE-2020-9553, CVE-2020-9557, and CVE-2020-9558, important out-of-bounds read issues potentially leading to information disclosure.

Adobe Illustrator 2020, versions 24.0.2 and earlier on Windows machines, is the subject of the second security update

CVE-2020-9570, CVE-2020-9571, CVE-2020-9572, CVE-2020-9573, and CVE-2020-9574, now resolved, are memory corruption issues that can be exploited in code execution attacks. 

CNET: Coronavirus stimulus scams are here. How to identify these new online and text attacks
Adobe has also released a security advisory describing a swathe of patches for the Magento e-commerce platform. 

The vulnerabilities impact Magento Commerce and Open Source (2.3.4 and earlier), Magento Enterprise Edition ( and earlier) and Magento Community Edition ( and earlier). In addition, Magento Commerce and Open Source versions 2.2.11 and earlier are affected, but it should be noted that Magento 2.2x reached end of support in 2019.

In total, Adobe has resolved 13 vulnerabilities, half of which are deemed critical whilst the rest are either important or moderate. 

These include CVE-2020-9576, CVE-2020-9578, CVE-2020-9582, and CVE-2020-9583, all of which are critical command injection flaws, and CVE-2020-9579, a critical security bypass issue. If exploited, each of these vulnerabilities can trigger arbitrary code execution. 

TechRepublic: Cybersecurity professionals are being repurposed during COVID-19 pandemic

Stored XSS, authorization bypass, and timing discrepancy problems have also been patched. 
Adobe thanked a squadron of independent cybersecurity researchers, alongside those from organizations including the Trend Micro Zero Day Initiative and Fortinet's FortiGuard Labs for reporting the security issues. 

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards