Adobe squashes critical vulnerabilities in Illustrator CC, Media Encoder

The worst bugs resolved this month can result in code execution.

Adobe's cloud pivot: What we've learned A decade ago, Adobe bought Omniture in a deal that revolved around creativity, content and data merging. It sounded a bit nutty at the time, but turned out to be one of enterprise software's best bets. Read more: https://zd.net/2Lxtpzf

Adobe has released a relatively small patch update that addresses vulnerabilities in four products including out-of-bounds and memory corruption issues leading to arbitrary code execution.

The software involved in this round of security updates is Adobe Media Encoder, Illustrator CC, Adobe Bridge CC, and Adobe Animate CC. 

On Tuesday, Adobe's security advisories list Media Encoder as the main recipient of security fixes. 

See also: Adobe Q3 tops estimates, outlook light

The video optimization software, versions 14.0, as well as 13.1 and earlier on Windows and macOS machines, has been patched to resolve five bugs. While all of the vulnerabilities are caused by file parsing issues -- four out-of-bounds read problems are deemed important (CVE-2019-8241, CVE-2019-8242, CVE-2019-8243, and CVE-2019-8244) as they could cause information leaks, whereas CVE-2019-8246, a critical out-of-bounds write security flaw, may permit attackers to execute arbitrary code. 

When it comes to Illustrator CC, version 23.1 and earlier and v.24.0 on Windows and macOS PCs, two critical bugs and one important issue have been squashed. The least-important vulnerability, CVE-2019-7962, is a privilege escalation flaw, whereas the two other problems --  CVE-2019-8247 and CVE-2019-8248 -- are critical memory corruption security flaws which can be exploited for code execution. 

CNET: Microsoft to employ California's digital privacy law nationwide

Adobe has also pushed out a security update for Adobe Bridge CC. Impacting Windows and macOS machines, as well as versions 10, 9.1 and earlier, the two vulnerabilities -- CVE-2019-8239 and CVE-2019-8240 -- are able to be exploited when the software attempts to parse malformed SVG images, prompting memory corruption and the possibility of information disclosure. 

In addition, Adobe has released a software update for Adobe Animate CC 19.2.1 and earlier on Windows, and Animate CC version 20 on Windows and macOS. 

This update tackles CVE-2019-7960, a severe DLL hijacking bug that can lead to privilege escalation. 

The tech giant thanked cybersecurity researchers from the nsfocus security team, Qihoo 360 Core Security, Fortinet's FortiGuard Labs, and Trend Micro's Zero Day Initiative for finding and reporting the vulnerabilities. 

TechRepublic: Counterterrorism expert: Small healthcare companies are the new ransomware targets

Previously, Adobe has tackled critical vulnerabilities in Flash and Application Manager which, if exploited, could lead to remote code execution on vulnerable systems. 

In related news this week, Microsoft's latest Patch Tuesday resolved 74 vulnerabilities, of which 13 are deemed critical. 

Among the fixes is a patch for an Internet Explorer scripting engine RCE bug actively being targeted in the wild, a fix for a security flaw in Trusted Platform Module (TPM) chipsets, and a dangerous issue in Excel for Mac that meant "Disable all Macros" was ignored, potentially useful for threat actors conducting phishing campaigns with malicious Excel documents, has also been dealt with. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0