Adobe security update squashes critical vulnerabilities in Lightroom, Prelude

Adobe’s last major patch round of 2020 has dealt with arbitrary code and JavaScript execution bugs.

With most of the staff teleworking, these are the CIO's new priorities

Adobe's last scheduled security update of the year has resolved critical vulnerabilities in Lightroom, Prelude, and Experience Manager. 

Released on Tuesday, the tech giant's patches deal with four vulnerabilities, three of which are deemed critical. 

The first fix was issued for Adobe Lightroom, image editing software that is popular with professional photographers. Impacting Lightroom Classic version 10.0 and below on Windows and macOS machines, the critical issue -- tracked as CVE-2020-24447 -- is described as an uncontrolled search path element vulnerability leading to arbitrary code execution. 

See also: Adobe releases new security fixes for Connect, Reader Mobile

A second critical bug was found in Adobe Prelude  for Windows and macOS, version 9.01 and earlier. Tracked as CVE-2020-24440, the severe vulnerability has been caused by an uncontrolled search path and if exploited by attackers, can lead to "arbitrary code execution in the context of the current user," according to Adobe. 

Adobe's third security advisory relates to Adobe Experience Manager (AEM) and the AEM Forms add-on package on all platforms. 

Two vulnerabilities have been patched in these software packages. The first, CVE-2020-24445, is a critical bug in AEM CS, and is also found in AEM 6.5.6.0/6.4.8.2/6.3.3.8 and earlier. 

CVE-2020-24445 is a stored cross-site scripting (XSS) flaw that can lead to arbitrary JavaScript execution in the browser. 

CNET: The best Windows 10 antivirus protection for 2020

The second security flaw, CVE-2020-24444, is an "important" vulnerability found in AEM Forms SP6 add-on for AEM 6.5.6.0 and the AEM Forms add-on package for AEM 6.4 Service Pack 8 Cumulative Fix Pack 2 (6.4.8.2). This vulnerability is a blind server-side request forgery issue that can be triggered for the purpose of information disclosure. 

Adobe thanked Qihoo 360 CERT researcher Hou JingYi, as well as Frank Karlstrøm and Kenny Jansson of Storebrand Group, Norway, for reporting the security issues to the vendor. 

TechRepublic: WatchGuard Q3 cybersecurity report finds spike in network attacks and malware delivered over TLS

Adobe's November security update tackled another handful of vulnerabilities, two of which were found in the Connect remote conferencing software, and one in Reader. Connect's bugs could be exploited to perform JavaScript execution in a browser, whereas Reader's lone issue could be used to leak information. 

In Microsoft's last patch update of the year, released on Tuesday, the Redmond giant resolved 58 vulnerabilities, 22 of which are remote code execution (RCE) vulnerabilities. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0