Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks.
On Wednesday, the software vendor released two separate security advisories describing the issues, warning that each bug is deemed critical, the highest severity score available. However, there is at present no evidence the vulnerabilities are being exploited in the wild.
The first vulnerability, CVE-2020-3764, impacts Adobe Media Encoder versions 14.0 and earlier on the Microsoft Windows platform.
The security flaw is an out-of-bounds write vulnerability that can be exploited for arbitrary code execution.
Adobe has resolved a second vulnerability, CVE-2020-3765, that impacts Adobe After Effects versions 16.1.2 and earlier on Windows machines. This bug, too, is an out-of-bounds write that may lead to arbitrary code execution. However, in this case, attacks can only take place in the context of the current user.
Users of Adobe Media Encoder and After Effects should update their software builds immediately. The tech giant thanked researcher Francis Provencher, alongside Matt Powell from the Trend Micro Zero Day Initiative for reporting the vulnerabilities.
Adobe does not often release out-of-band patches unless serious, critical vulnerabilities are being, or have the risk of being, exploited in the wild.
Two standard monthly security releases have taken place so far this year. In January's patches, nine bugs were resolved that included critical memory corruption issues in Adobe Illustrator CC 2019 that could be exploited for arbitrary code execution, as well as sensitive information disclosure problems in Adobe Experience Manager.
This month's patch release was more robust, resolving 35 critical vulnerabilities including heap overflow problems, out-of-bounds write, use-after-free flaws, and privilege escalation bugs in software. If exploited, the bugs could lead to code execution, arbitrary file system writes, memory leaks, and more.
Previous and related coverage
- Adobe's first 2020 security patch update fixes code execution vulnerabilities
- Adobe launches Experience Platform out of Azure in Australia
- Adobe intros new Experience Cloud features, launches Experience Manager as cloud service
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0