Adobe Patches 18 Critical Flaws in Out-Of-Band Update

Critical vulnerabilities were patched in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition.

Adobe patched 18 critical vulnerabilities Tuesday impacting key products Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition. The out-of-band fixes address vulnerabilities allowing an attacker to execute arbitrary code, if bugs are exploited.

In its security bulletin Adobe said it was not aware of any exploits in the wild for any of the bugs.

Five of the critical flaws were discovered in versions 17.1 and earlier of After Effects. Users are encouraged to update to version 17.1.1.

The After Effects flaws include an out-of-bounds read vulnerability (CVE-2020-9661), out-of-bounds write vulnerabilities (CVE-2020-9660, CVE-2020-9662) and heap overflow flaws ( CVE-2020-9637, CVE-2020-9638).

Adobe Illustrator received five patches, including one for a buffer error (CVE-2020-9642) and memory corruption bugs (CVE-2020-9575, CVE-2020-9641, CVE-2020-9640, CVE-2020-9639).  Versions 24.1.2 and earlier of Illustrator 2020 are affected, version 24.2 of the popular illustration app has fixed the issues.

Adobe also patched three flaws in versions 1.5.12 and earlier of Premiere Rush, Adobe’s video editing app. The flaws were fixed in version 1.5.16. They included two out-of-bounds write (CVE-2020-9656, CVE-2020-9657) and an out-of-bounds read flaw (CVE-2020-9655).

And, Adobe patched three flaws in Premiere Pro, another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). These include out-of-bounds write (CVE-2020-9653, CVE-2020-9654) and out-of-bounds read (CVE-2020-9652) vulnerabilities. Adobe Premiere Pro versions 14.2 and earlier are affected; users are urged to update to version 14.3.

Finally, versions 13.0.6 and earlier of Adobe’s audio app, Audition, had two critical out-of-bounds write flaws (CVE-2020-9658, CVE-2020-9659). These flaws were fixed in version 13.0.7 for Windows and macOS.

An “important” severity out-of-bounds read bug (CVE-2020-9666) enabling information disclosure was also patched in Adobe Campaign Classic, its marketing campaign management application.

The out-of-band update comes a week after Adobe’s scheduled patches, where it stomped out four critical flaws in Flash Player and in its Framemaker document processor.

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles