Adobe has released security patches tackling four critical vulnerabilities in Adobe Bridge, along with other critical and important-rated updates for bugs in Adobe Digital Editions, Adobe Photoshop and RoboHelp.
In all, Adobe fixed 10 security holes in its products during its scheduled April updates, seven of them listed as critical.
None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.
“This month, Adobe had four updates for Photoshop, Digital Editions, Bridge, and Robohelp and all rated as Priority 3,” Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. “The reasoning behind Adobe’s prioritization is because this update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”
Goettl noted that this is an aspect of vendor severity ratings that many don’t take into account – if applications are less likely to be targeted by threat actors, Adobe sets the severity of the vulnerability lower, regardless of how severe of a bug it may be. Thus, patching priority should be determined on an organization-by-organization basis.
“While historical evidence reflects Adobe’s assessment accurately, it does not remove all risk,” he noted. “Photoshop has had as many as nine exploited CVEs over the years, the most recent being the CVEs in 2015. Of these four updates, Photoshop is the riskiest.”
Adobe Bridge Security Vulnerabilities
Adobe Bridge is a creative-asset manager that helps users preview, organize, edit and publish multiple creative assets in a streamlined way. It contains the four critical bugs as well as two “important” vulnerabilities:
- CVE-2021-21093 and CVE-2021-21092 are critical memory-corruption issues leading to arbitrary code execution;
- CVE-2021-21094 and CVE-2021-21095 are critical out-of-bounds write bugs also leading to arbitrary code execution;
- CVE-2021-21091 is an important out-of-bounds read issue that could lead to information disclosure;
- And CVE-2021-21096 stems from improper authorization and allows privilege escalation.
“Arbitrary code execution, or ACE, vulnerabilities provide an adversary a platform to quickly execute additional code or applications on a target system, opening the door to lateral movement or quick exfiltration of system data,” Jay Goodman, manager of product marketing at Automox, said via email.
Other Adobe Patches for April
Adobe also addressed two critical vulnerabilities in Photoshop, its popular photo-editing software (CVE-2021-28548 and CVE-2021-28549). Both are buffer-overflow bugs that allow arbitrary code execution.
The company also patched a final critical vulnerability in Adobe Digital Editions, CVE-2021-21100, which is a privilege-escalation problem allowing an arbitrary file-system write. Digital Editions is Adobe’s e-Book reader software used for acquiring, managing and reading e-books, digital newspapers and other digital publications.
“This vulnerability allows an attacker to force the target application to overwrite any file on a system as a privileged user,” Goodman said. “This can allow an attacker to take a system offline by overwriting critical system files.”
And finally, Adobe patched one important-rated vulnerability in RoboHelp, which is a platform for authoring technical articles and how-tos. The bug, tracked as CVE-2021-21070, is an uncontrolled search path element that could allow privilege escalation.
Users can enable auto-updates for the bugs by going to Help > Check for Updates.
“These vulnerabilities should be patched within the 72-hour window to ensure attackers do not have the time to weaponize them against your organization,” Goodman noted.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.