Adobe Patches Critical Bugs in Illustrator, Media Encoder

adobe november patch tuesday

Adobe’s monthly patch load is low for November, with only three critical bugs and eight important ones fixed.

Adobe Systems is warning Illustrator 2019 users that two critical memory-corruption vulnerabilities could allow for an attacker to remotely connect to a Windows machine, execute code and gain control of the targeted system.

The create-suite behemoth also warned Tuesday, as part of its regular monthly patch advisories, that its Windows and macOS versions of its Adobe Media Encoder also have a critical vulnerability tied to an out-of-bounds write flaw.

Adobe said none of the critical bugs, nor an additional eight vulnerabilities rated important and identified Tuesday, have been exploited in the wild.

Adobe Illustrator 2019

Three security updates available for Adobe Illustrator 2019 affect version Windows 23.1 and earlier. The most serious of the bugs (CVE-2019-8247, CVE-2019-8248 ) are both remote code execution flaws. Adobe did not go into technical detail of either bug. Mitigation includes updating to the latest version (24.0) of the software, according to the bulletin.

Like both critical bugs, the additional important Illustrator vulnerability (CVE-2019-7962) is also found in the Windows 23.1 and earlier versions of the software.

Kushal Arvind Shah of Fortinet’s FortiGuard Labs are credited for finding both the critical bugs.

Adobe Media Encoder  

The free application Adobe Media Encoder, used with Adobe Premiere Pro and Adobe After Effects to transcode video suitable for the web, also received a critical fix (CVE-2019-8246). Affected was the 13.1 version of the software compatible with both the Windows and macOS operating systems.

The fixes for the additional important Media Encoder bugs (CVE-2019-8241, CVE-2019-8242, CVE-2019-8243, CVE-2019-8244), resolve multiple file parsing vulnerabilities. Successful exploitation could lead to information disclosure in the context of the current user, according to Adobe.

Wen Guang Jiao of Qihoo 360 Core Security is credited for finding the critical RCE bug. Adobe is urging customers to upgrade to the 14.0 version of the software.

Adobe Bridge and Animate

Adobe Bridge also received a number of important updates (CVE-2019-8239, CVE-2019-8240), impacting both the Windows and macOS 9.1 versions of the software. Mitigation includes updating to the 10.0 version of Adobe Bridge.

“This update addresses multiple vulnerabilities rated important that occur when parsing malformed SVG images. Successful exploitation could lead to information disclosure in the context of the current user,” wrote Adobe.

Adobe is also warning that its Animate (version 19.2.1) software for Windows is also vulnerable to a security flaw rated important. The bug (CVE-2019-7960) is an “insecure library loading vulnerability that could lead to privilege escalation,” according to the company.

Researcher Youngjun Liu of Nsfocus is credited for discovering and reporting the Animate bug.

Insecure Defaults in Adobe’s Mobile SDKs

The Tuesday Adobe security bulletin did not address an insecure defaults issue with with its Adobe’s mobile SDK found last week by researchers behind the Nightwatch Cybersecurity blog. That Adobe issue was addressed last week with the company stating:

“Adobe worked with the researcher who brought this matter to our attention to remediate the findings. Adobe released new versions of the mobile SDKs, which can be found here: https://github.com/Adobe-Marketing-Cloud/acp-sdks. The SDKs are configurable in Adobe Experience Platform Launch and require SSL for data transmission.”

Nightwatch Cybersecurity had found that some default configuration files, provided by Adobe within its mobile SDKs, include several insecure options. If developers failed to change those default configuration options than corresponding live code could also be insecure.

What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles