Adobe released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. The bugs, if exploited, could enable arbitrary code-execution.
In Tuesday’s June Adobe security updates, critical flaws tied to three CVEs were patched in Adobe Framemaker, which is Adobe’s application designed for writing and editing large or complex documents.
The flaws include two critical out-of-bounds write flaws (CVE-2020-9634, CVE-2020-9635), which stem from write operations that then produce undefined or unexpected results. Francis Provencher working with Trend Micro’s Zero Day Initiative (ZDI) was credited with finding these arbitrary code-execution flaws.
Dustin Childs, communications manager with Trend Micro’s ZDI, told Threatpost that an attacker can leverage both flaws to execute code in the context of the current process. They would need to entice a user to open a specially crafted file or visit a malicious page, he said.
“For CVE-2020-9634, the specific flaw exists within the parsing of GIF files,” Childs told Threatpost. “The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. For CVE-2020-9635, the specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write before the start of an allocated object.”
Adobe also patched a critical bug (CVE-2020-9636) stemming from memory corruption, where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code – or even enabling full remote code-execution capabilities. Honggang Ren of Fortinet’s FortiGuard Labs reported the flaw.
Adobe Framemaker versions 2019.0.5 and below for Windows are affected; fixes are available in version 2019.0.6.
Flash Player
A critical, use-after-free flaw (CVE-2020-9633) was meanwhile discovered in Flash Player. Affected are Adobe Flash Player Desktop Runtime (Windows, macOS and Linux), Adobe Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and for Microsoft Edge/Internet Explorer 11 (Windows 10 and 8.1), all for versions 32.0.0.330 and earlier.
Impacted users are urged to update to 32.0.0.387 in a “priority 2” update, which according to Adobe “resolves vulnerabilities in a product that has historically been at elevated risk,” but for which there are currently no known exploits.
“Successful exploitation could lead to arbitrary code-execution in the context of the current user,” said Adobe in its update.
Flash is known to be a favorite target for cyberattacks, particularly for exploit kits, zero-day attacks and phishing schemes. Of note, Adobe announced in July 2017 that it plans to push Flash into an end-of-life state, meaning that it will no longer update or distribute Flash Player at the end of this year.
Other Flaws
Adobe also patched flaws tied to six important-severity flaws in Experience Manager, its content management platform for building websites, mobile apps and forms. Versions 6.5 and earlier are affected.
These include server-side request forgery glitches (CVE-2020-9643 and CVE-2020-9645) that could allow sensitive information disclosure, and cross-site scripting vulnerabilities (CVE-2020-9647, CVE-2020-9648, CVE-2020-9651 and CVE-2020-9644) that could enable arbitrary JavaScript execution in the browser.
For all flaws in its June update, Adobe said it is not aware of any exploits in the wild. The regularly scheduled updates come a month after Adobe fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit in May. If exploited, those flaws could lead to remote code execution.
In May, Adobe also issued an out-of-band patch for a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.
