Adobe Warns Windows, macOS Users of Critical-Severity Flaws

adobe security updates

Adobe fixed three critical-severity flaws in Adobe Prelude, Adobe Experience Manager and Adobe Lightroom.

Adobe Systems has stomped out critical-severity flaws across its Adobe Prelude, Adobe Experience Manager and Adobe Lightroom applications. If exploited, the serious vulnerabilities could lead to arbitrary code execution.

Overall, Adobe issued patches for flaws tied to one important-rated and three critical-severity CVEs, during its regularly scheduled December security updates. The updates follow the company’s November patches, where the company fixed critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader family of application software services; all of which could be exploited to execute arbitrary code on affected products.

“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to Adobe’s Tuesday security update.

This month’s Adobe patch roundup included a critical cross-site scripting (XSS) vulnerability in Adobe Experience Manager (AEM), the company’s content-management solution for building websites, mobile apps and forms. If exploited, the vulnerability (CVE-2020-24445) could allow a bad actor to execute arbitrary JavaScript on the victim’s browser.

AEM CS, AEM 6.5.6.0 and earlier, AEM 6.4.8.2 and earlier and AEM 6.3.3.8 and earlier are affected; AEM users can update to the fixed AEM versions, below. The update is a “priority 2” which according to Adobe resolves flaws in a product that “has historically been at elevated risk” – but for which there are currently no known exploits.

adobe updates

AEM Fixed Versions. Credit: Adobe

An important-severity flaw also exists in AEM (CVE-2020-24444), which stems from blind server-side request forgery (SSRF). Blind SSRF occurs when an application can be manipulated to issue a back-end HTTP request to a supplied URL, but the response from the back-end request is not returned in the application’s front-end response. This issue can result in sensitive data disclosure, according to Adobe.

Adobe also addressed a critical vulnerability in its Lightroom Classic for Windows and macOS, which if exploited could enable arbitrary code execution in the context of the current user. Lightroom Classic is Adobe’s desktop application enabling photo editing.

The flaw stems from an uncontrolled search path element in Lightroom Classic, version 10.0 and earlier of Windows. An uncontrolled search path is a weakness that occurs when applications use fixed search paths to find resources – but one or more locations of the path are under control of malicious user. In the case of this flaw (CVE-2020-24447) in Lightroom Classic, the issue could enable arbitrary code execution.

Adobe urged Lightroom Classic users on the Windows and MacOS platforms to update to version 10.1. The update is a “priority 3” update, meaning it exists in a product that “has historically not been a target for attackers,” according to Adobe.

“Adobe recommends administrators install the update at their discretion,” according to the update.

A final critical vulnerability was patched in Adobe Prelude, Adobe’s logging tool for tagging media with metadata for searching, post-production workflows and footage lifecycle management. This vulnerability is another uncontrolled search path (CVE-2020-24440) that affects Adobe Prelude version 9.0.1 and earlier for Windows. If exploited, the flaw could enable arbitrary code execution.

Users are urged to update to Adobe Prelude version 9.0.2 for Windows and macOS in what Adobe prescribes a “priority 3” update rating.

Adobe Systems has dealt with various security issues over the past few months.  In October, after warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems, Adobe released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Adobe Illustrator was hit the hardest.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles