22 Critical Flaws Patched in Adobe Photoshop

Patched critical flaws in Adobe’s Photoshop CC photo editing application enable arbitrary code execution.

Adobe has patched 22 critical vulnerabilities in Adobe Photoshop CC, its photo editing application, which the company warns can enable arbitrary code execution.

Overall, Adobe issued patches for 119 important and critical vulnerabilities in August, including 25 critical bugs across several platforms. The majority of those critical flaws exist in Adobe Photoshop CC. Also fixed were two in Creative Cloud Desktop Application and one in Adobe Experience Manager.

“Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin,” the company said in its Tuesday regularly-scheduled patch release.

For Photoshop CC, versions 19.1.8 and earlier for Windows and MacOS are specifically impacted.  Adobe urged users to make sure their programs are up to date (versions 20.0.5).

These include Heap Overflow flaws (CVE-2019-7978, CVE-2019-7980, CVE-2019-7985, CVE-2019-7990 and CVE-2019-7993), Type Confusion glitches (CVE-2019-7969, CVE-2019-7970, CVE-2019-7971, CVE-2019-7972, CVE-2019-7973, CVE-2019-7974 and CVE-2019-7975), Command Injection (CVE-2019-7968 and CVE-2019-7989) and Out of Bound Write vulnerabilities (CVE-2019-7976, CVE-2019-7979, CVE-2019-7982, CVE-2019-7983, CVE-2019-7984, CVE-2019-7986, CVE-2019-7988 and CVE-2019-7994).

adobe photoshop CC

Photoshop CC impacted and revolved versions

For all these flaws, “successful exploitation could lead to arbitrary code execution in the context of the current user,” according to Adobe. Researchers at Trend Micro’s Zero Day Initiative, Topsec Alpha Team, Fortinet’s FortiGuard Labs and Source Incite were credited with discovering the flaws.

Two critical flaws exist in Creative Cloud Desktop Application, Adobe’s tool for launching and updating desktop apps; specifically impacting versions 4.6.1 and earlier for Windows and macOS. These include a flaw enabling information leakage (CVE-2019-7968) and a privilege escalation vulnerability (CVE-2019-7958).

And, a critical Authentication Bypass vulnerability was patched in Adobe Experience Manager (CVE-2019-7964), Adobe’s content management platform for building websites and mobile apps, which could allow for remote code execution. This flaw specifically exists in the Security Assertion Markup Language (SAML) handler in Adobe Experience Manager, which is an XML-based framework for exchanging security information.

Impacted are versions 6.4 and 6.5 of Adobe Experience Manager: “successful exploitation could result in unauthorized access to the AEM environment,” said Adobe.

Also of note are patches that were issued for Adobe Acrobat and Reader, which addressed a total of 76 important vulnerabilities. These flaws range in impact from arbitrary code execution and information disclosure.

The release marks a regularly-scheduled Patch Tuesday update for several companies, and while “Microsoft may have had a slow [Patch Tuesday] day, but Adobe released 8 updates,” said Chris Goettl, director of product management for Security at Ivanti, said in an email. “If you are a Creative Cloud or Experience Manager user be sure to review the bulletins because several are rated Critical. Adobe also released updates for Acrobat and the more common Acrobat Reader with details under APSB19-41.  This update for both Windows and macOS fixes 76 vulnerabilities which are all rated as Important.  There are updates for the Continuous, Classic 2015, and Classic 2017 versions of the products.”

In July, Adobe issued patches for Bridge CC, Experience Manager and Dreamweaver. Experience Manager was patched for three vulnerabilities, while Bridge and Dreamweaver each have one. None are labeled as critical, and the highest rated vulnerability for each software package is labeled as important.

Suggested articles