Adobe on Tuesday released its March Security Update, reporting and fixing only two critical flaws: one in Photoshop CC and one in Adobe Digital Editions.
Both critical flaws could allow a bad actor to achieve arbitrary code execution in the context of the current user, Adobe said. The company said it is not aware of any exploits in the wild for the security issues.
“Adobe has published security bulletins for Adobe Digital Editions and Adobe Photoshop CC,” the company said in its release. “Adobe recommends users update their product installations to the latest versions…”
The first critical flaw is in Adobe Photoshop CC for Windows and macOS. Successful exploitation of the heap corruption flaw (CVE-2019-7094) could lead to arbitrary code execution in the context of the current user.
Francis Provencher with Zero Day Initiative (ZDI) is credited with discovering the vulnerability. “This is a heap corruption due to an out-of-bounds write in Photoshop that could allow code execution if an attacker could convince someone to open a specially crafted file,” a ZDI spokesperson told Threatpost.
Impacted are Photoshop CC 19.1.7 (and earlier 19.x versions) as well as 20.0.2 (and earlier 20.x versions); users are urged to update to Photoshop CC 19.1.8 and 20.0.4 for Windows and macOS.
The other critical vulnerability exists in Adobe Digital Edition, its ebook reader software program.
The heap overflow vulnerability, CVE-2019-7095, could be exploited to achieve arbitrary code execution in the context of the current user, according to Adobe. Versions 184.108.40.206749 and below for Windows are impacted, and users are urged to update to version 220.127.116.11048.
Both updates are “priority 3,” meaning that “this update resolves vulnerabilities in a product that has historically not been a target for attackers. “Adobe recommends administrators install the update at their discretion,” according to the update notes.
“The updates for Adobe Photoshop and Digital Editions each resolve one CVE and are rated as a priority 3,” Chris Goettl, director of product management at Ivanti, told Threatpost. “The CVEs are rated as Critical, so don’t ignore them, just get them rolled out in a timely manner.”
Adobe’s February update resolved far more bugs in its products. Overall, Adobe’s February update patched 75 important and critical vulnerabilities across its products compared to only two reported in March.
Earlier in March, Adobe also issued an emergency patch for a critical vulnerability in its ColdFusion service that is being exploited in the wild. The vulnerability, CVE-2019-7816, exists in Adobe’s commercial rapid web application development platform, ColdFusion. The ColdFusion vulnerability is a file upload restriction bypass which could enable arbitrary code execution.