Adobe Systems has patched seven critical vulnerabilities, which impact Windows, macOS and Linux users. The impact of the serious flaws range from arbitrary code execution to sensitive information disclosure.
The software company’s regularly scheduled Tuesday security updates impact a slew of its multimedia and creativity software products – from Photoshop to Illustrator to Adobe Bridge.
In tandem with Tuesday’s security update, Adobe starting on Tuesday will also block Flash Player content, weeks after dropping support for Flash. The move means that when users attempt to load a page with Flash Player, the content now will no longer load.
“Since Adobe will no longer be supporting Flash Player after December 31, 2020 and Adobe will block Flash content from running in Flash Player beginning January 12, 2021, Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems,” according to Adobe.
‘Priority 3’ Campaign Classic Update
One of the most severe critical flaws (CVE-2021-21009) has been patched in Adobe Campaign Classic, Adobe’s marketing campaign management platform.
“These updates address a critical server-side request forgery (SSRF) vulnerability that could result in sensitive information disclosure,” according to Adobe. SSRF is a web-based flaw that enables attackers to induce the server-side application to make HTTP requests to an arbitrary domain.
Various versions of Adobe Campaign Classic for Windows and Linux users are affected; a full detail of affected versions and patched versions are available here.
The flaw has a “priority 2” update ranking, which according to Adobe means that it resolves vulnerabilities in a product that has “historically been at elevated risk” – but for which there are currently no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent,” according to Adobe. “As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”
Of note, the remainder of Adobe’s patches, while critical, are “priority 3” updates, Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. Out of the three priorities, “priority 1” is the most severe, while “priority 3” is the least serious. “Priority 3” updates resolve flaws in a product that has historically not been a target for attackers.
“Given this guidance, administrators should look to update Adobe Campaign Classic in their monthly maintenance,” Goettl told Threatpost. “The rest of the updates should be evaluated and updated as reasonable as it is never good to let software stagnate.”
Other Critical Flaws
In Adobe’s flagship Photoshop photo-editing application, the company fixed a critical-severity heap-based buffer overflow vulnerability (CVE-2021-21006). A heap-based buffer overflow is a class of vulnerability where the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed. If exploited, this flaw could enable arbitrary code execution.
The bug affects Photoshop 2021 version 22.1 and earlier for Windows and macOS; users should update to version 22.1.1.
Adobe’s Illustrator design application also has a critical flaw (CVE-2021-21007) stemming from an uncontrolled search path element. This category of vulnerability occurs when an application uses a fixed (or controlled) search path to find resources – but one or more locations of the path are under control of a malicious user.
The flaw, which could enable arbitrary code execution, exists in Illustrator 2020 for Windows and macOS versions 25 and earlier; version 25.1 contains the fix.
Adobe Bridge, Adobe’s digital asset management app, had critical vulnerabilities tied to two CVEs, CVE-2021-21012 and CVE-2021-21013.
These errors stem from out-of-bounds write issues, which stems from write operations that then produce undefined or unexpected results. If exploited the flaws can result in arbitrary code execution.
Both flaws exist in Adobe Bridge version 11 and earlier for Windows; a fix has been issued in version 11.0.1.
Adobe also fixed critical flaws in its Adobe Animate (CVE-2021-21008) and Adobe InCopy (CVE-2021-21010); as well as an important-severity flaw in Adobe Captivate (CVE-2021-21011).
The January patches follow Adobe’s regularly scheduled December security updates, where the company issued fixes for flaws tied to one important-rated and three critical-severity CVEs across its Adobe Prelude, Adobe Experience Manager and Adobe Lightroom applications.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.