Adobe has released an out-of-band emergency security update for Photoshop, Prelude, and Bridge.
On Tuesday, a week after issuing the firm's standard monthly security update, Adobe published security advisories revealing a total of 13 vulnerabilities, 12 of which are deemed critical.
Five vulnerabilities have now been resolved in Photoshop CC 2019 -- versions 20.0.9 and earlier -- and Photoshop 2020 -- versions 21.2 and earlier -- on Windows machines.
CVE-2020-9683 and CVE-2020-9686 are out-of-bounds read issues in the photo editing software, whereas CVE-2020-9684, CVE-2020-9685, and CVE-2020-9687 are out-of-bounds write security flaws.
All of these vulnerabilities are considered critical, as if exploited, can lead to arbitrary code execution.
In Adobe Bridge, versions 10.1.1 and earlier on both Windows and macOS, a single out-of-bounds read (CVE-2020-9675) and two out-of-bounds write vulnerabilities (CVE-2020-9674, CVE-2020-9676) have been resolved. If exploited, these critical bugs also could be used for the execution of arbitrary code by attackers.
Adobe Prelude has also been included in the emergency patch update. In versions 9.0 and earlier of the media tagging software, four critical vulnerabilities exist -- CVE-2020-9677 and CVE-2020-9679 being out-of-bounds read problems, and both CVE-2020-9678 and CVE-2020-9680 are described as out-of-bounds write issues.
These vulnerabilities, too, can be used to perform arbitrary code execution.
Mat Powell of the Trend Micro Zero Day Initiative (ZDI) was credited and thanked for finding and disclosing the vulnerabilities. Speaking to SC Media, ZDI said that the vulnerabilities could be triggered by victims who open a malicious file or who visit a crafted website.
In addition to the fixes issued for the software above, the software giant also released a patch for CVE-2020-9663, an "important" bug in Adobe Reader Mobile on Android mobile devices. Described as a directory traversal issue, if exploited, the vulnerability could lead to information leaks.
The out-of-band release comes after Adobe released its standard monthly security update, in which vulnerabilities in software including Creative Cloud, Media Encoder, ColdFusion, and Download Manager were resolved.
Numerous vendors have released scheduled security fixes over July. Microsoft published a security advisory detailing patches for a total of 123 vulnerabilities; Cisco released fixes for 34 bugs, and SAP, VMware, and Oracle have also released security upgrades.
Previous and related coverage
- IBM, Red Hat, Adobe team up to help regulated industries with data-driven marketing
- Adobe issues out-of-band patch to fix remote code execution flaw in animation software
- SigRed: A 17-year-old 'wormable' vulnerability for hijacking Microsoft Windows Server
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0