Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Adobe Illustrator was hit the hardest.
There are 16 critical bugs, all of which allow arbitrary code execution in the context of the current user. They affect Adobe Illustrator, Adobe Animate, Adobe After Effects, Adobe Photoshop, Adobe Premiere Pro, Adobe Media Encoder, Adobe InDesign and the Adobe Creative Cloud Desktop Application.
Adobe also patched two important-rated issues, in Dreamweaver and the Marketo Sales Insight Salesforce package.
Many of the issues concern uncontrolled search-path elements, but there are also out-of-bounds problems, memory-corruption issues and a cross-site scripting (XSS) bug.
“Arbitrary code execution vulnerabilities are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems,” Jay Goodman, strategic product marketing manager at Automox, told Threatpost. “Coupled with the fact that these vulnerabilities are in critical technologies like Marketo and most of the Adobe Creative Cloud applications, this could leave sensitive marketing data and creative IP exposed to destruction or IP theft by potential adversaries. Organizations should move to quickly patch these vulnerabilities within the 72-hour window [we recommend] in order to minimize exposure and maintain a high level of cyber-hygiene.”
Critical Patches
Illustrator contains seven bugs affecting Illustrator 2020 for Windows, 24.2 and earlier versions.
Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang working with Trend Micro Zero Day Initiative is credited for the discoveries.
“All of these vulnerabilities occur within the processing of PDF files by Illustrator,” Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, told Threatpost. “In all three cases, an attacker can leverage the vulnerabilities to execute code in the context of the current process.”
For the out-of-bounds read bugs, “Illustrator does not properly validate user-supplied data, which can result in a read past the end of an allocated structure,” he explained.
Meanwhile, the out-of-bounds write bug “occurs because Illustrator does not properly validate user-supplied data, which can result in a write past the end of an allocated structure,” Childs said.
Meanwhile, the other four Illustrator bugs are due to memory corruption (CVE-2020-24412, CVE-2020-24413,CVE-2020-24414, CVE-2020-24415), and Honggang Ren of Fortinet’s FortiGuard Labs was given the hat-tip for these.
Ren is also credited with finding an out-of-bounds read problem (CVE-2020-24418) in After Effects for Windows (17.1.1 and earlier versions).
Meanwhile, Animate for Windows (20.5 and earlier versions) contains a double-free bug (CVE-2020-9747); a stack-based buffer overflow issue (CVE-2020-9748); and two out-of-bounds reads (CVE-2020-9749 and CVE-2020-9750).
Kexu Wang of Fortinet’s FortiGuard Labs is credited with finding the issues. Wang is also credited with finding a memory-corruption bug (CVE-2020-24421) afflicting InDesign for Windows (15.1.2 and earlier versions).
Meanwhile, Hou JingYi of Qihoo 360 CERT found four critical uncontrolled search-path element bugs, including in:
- After Effects (CVE-2020-24419)
- Windows versions of Photoshop CC 2019, 20.0.10 and earlier versions; and Photoshop 2020, 21.2.2 and earlier versions (both tracked as CVE-2020-24420)
- Premiere Pro for Windows, 14.4 and earlier versions (CVE-2020-24424)
- and Media Encoder for Windows, 14.4 and earlier versions (CVE-2020-24423)
Users can update their software installations via the Creative Cloud desktop app updater, or by navigating to the application’s Help menu and clicking “Updates.”
Speaking of Creative Cloud, the Creative Cloud Desktop Application Installer for Windows (5.2 and earlier versions for the older product and 2.1 and earlier versions for the new installer) also has an uncontrolled search-path element bug (CVE-2020-24422) – this one uncovered by Dhiraj Mishra.
Other Bugs
Adobe Dreamweaver 20.2 and earlier versions for Windows and macOS contains an uncontrolled search-path element bug that could allow privilege escalation (CVE-2020-24425). The flaw also affects libCURL dependencies in Dreamweaver 20.1 and earlier.
Xavier DANEST from Decathlon was credited with the discovery.
And, the Marketo Sales Insight Salesforce package, 1.4355 and earlier versions, has an XSS bug that allows JavaScript execution in the browser (CVE-2020-24416). It was discovered by Aditya Sharma and Shivam Kamboj Dattana of Root Fix.
The out-of-band patches follow the disclosure of just one vulnerability in October as part of Adobe’s regularly scheduled patches (markedly less than the 18 flaws addressed during its September regular update).
That was a critical bug in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems (CVE-2020-9746). If successfully exploited, it could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user, according to Adobe.
Also this month, Adobe announced two critical flaws (CVE-2020-24407 and CVE-2020-24400) in Magento – Adobe’s e-commerce platform that is commonly targeted by attackers like the Magecart threat group. They could allow arbitrary code execution as well as read or write access to the database.