Adobe has issued unscheduled patches for two critical vulnerabilities that, if exploited, enable an attacker to execute remote code on targeted devices.
The two apps affected by the critical flaws are Adobe After Effects, a visual effects and motion graphics app used for post-production film making and video game production, and Adobe Media Encoder, an application to help with media processing requirements for audio and video.
“Both vulnerabilities can be exploited by a remote, unauthenticated attacker via the internet, and both exist “due to a boundary error when processing untrusted input,” according to an analysis of the flaws after they were disclosed Wednesday evening. “A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.”
Adobe After Effects has an out-of-bounds write flaw (CVE-2020-3765), which stems from write operations that then produce undefined or unexpected results. This could enable arbitrary code execution, according to Adobe’s update. Adobe After Effects versions 16.1.2 and earlier (for Windows) are affected. Users need to update to version 17.0.3, available on both Windows and macOS.
While the vulnerability is critical in severity, the update has a priority 3 rating, which according to Adobe “resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”
The other vulnerability, in Adobe Media Encoder, is also a critical out-of-bounds write vulnerability (CVE-2020-3764) that could enable arbitrary code execution. Adobe Media Encore versions 14.0 and earlier (for Windows) are impacted; the patched version is 14.0.2 (also in a “priority 3” update).
“The Media Encoder is a relatively straightforward open-and-own scenario,” Dustin Childs, manager with Trend Micro’s Zero Day Initiative (which discovered the flaw), told Threatpost. “The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.”
Matt Powell (for CVE-2020-3765) and Francis Provencher (for CVE-2020-3764) with Trend Micro’s Zero Day Initiative were credited for discovering these vulnerabilities. Adobe said it is not aware of any exploits in the wild for flaws.
These latest patches come a week after Adobe issued its regularly scheduled fixes for February, which stomped out flaws tied to 42 CVEs. Thirty-five of those flaws were critical in severity, including ones that affected its Framemaker and Flash Player products, which, if exploited, could lead to arbitrary code-execution. And, in Adobe’s January security update, it addressed nine vulnerabilities overall, including ones in Adobe Illustrator CC and Adobe Experience Manager.