Adobe releases out-of-band patch for critical code execution vulnerabilities

The severe security problems can be exploited to launch code execution attacks.

Adobe gives marketers AI-based tools to use customers' data in real time
14:10:00

Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks. 

On Wednesday, the software vendor released two separate security advisories describing the issues, warning that each bug is deemed critical, the highest severity score available. However, there is at present no evidence the vulnerabilities are being exploited in the wild.

See also: Adobe squashes 35 critical vulnerabilities in security patch update

The first vulnerability, CVE-2020-3764, impacts Adobe Media Encoder versions 14.0 and earlier on the Microsoft Windows platform. 

The security flaw is an out-of-bounds write vulnerability that can be exploited for arbitrary code execution. 

Adobe has resolved a second vulnerability, CVE-2020-3765, that impacts Adobe After Effects versions 16.1.2 and earlier on Windows machines. This bug, too, is an out-of-bounds write that may lead to arbitrary code execution. However, in this case, attacks can only take place in the context of the current user. 

CNET: UCLA cancels on-campus facial recognition program after backlash

Users of Adobe Media Encoder and After Effects should update their software builds immediately. The tech giant thanked researcher Francis Provencher, alongside Matt Powell from the Trend Micro Zero Day Initiative for reporting the vulnerabilities.  

Adobe does not often release out-of-band patches unless serious, critical vulnerabilities are being, or have the risk of being, exploited in the wild. 

TechRepublic: Security holes in 2G and 3G networks will pose a risk for next several years

Two standard monthly security releases have taken place so far this year. In January's patches, nine bugs were resolved that included critical memory corruption issues in Adobe Illustrator CC 2019 that could be exploited for arbitrary code execution, as well as sensitive information disclosure problems in Adobe Experience Manager. 

This month's patch release was more robust, resolving 35 critical vulnerabilities including heap overflow problems, out-of-bounds write, use-after-free flaws, and privilege escalation bugs in software. If exploited, the bugs could lead to code execution, arbitrary file system writes, memory leaks, and more.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0