Critical Adobe Photoshop Flaws Patched in Emergency Update

adobe photoshop

Adobe issued out-of-band patches for critical flaws tied to 12 CVEs in Photoshop and other applications.

Adobe released a slew of patches for critical vulnerabilities Tuesday that were part of an out-of-band security update. Several of the critical flaws are tied to Adobe’s popular Photoshop photo-editing software and allow adversaries to execute arbitrary code on targeted Windows devices.

Overall, Adobe issued patches for flaws tied to 12 CVEs across Bridge, Prelude and Photoshop applications. The unscheduled updates come a week after Adobe issued its official July 2020 security updates, including critical code-execution bugs.

Adobe said it was not aware of any exploits in the wild for any of the bugs patched in the update. The company did not offer technical details regarding the Photoshop CVEs.

Threatpost reached out to Mat Powell, researcher with Trend Micro’s Zero Day Initiative, who is credited for finding each of the critical flaws. Powell has not responded to that request. Threatpost hopes to update this report with additional commentary from the researcher.

All of the reported critical flaws stem from out-of-bounds read and write vulnerabilities, which occur when the software reads data past the end of – or before the beginning of – the intended buffer, potentially resulting in corruption of sensitive information, a crash, or code execution among other things.

Adobe Photoshop features two out-of-bounds read flaws (CVE-2020-9683, CVE-2020-9686) and three out-of-bound write (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) issues. All of these could “lead to arbitrary code execution in the context of the current user,” according to Adobe.

The Photoshop vulnerabilities affect Photoshop CC 2019 versions 20.0.9 and earlier and Photoshop 2020 21.2 and earlier (for Windows). Users can update to versions 20.0.10 and 21.2.1, respectively.

Adobe has previously addressed various serious flaws in its Photoshop photo editing app, including dozens of arbitrary code-execution issues in March – which addressed 22 CVEs in Photoshop overall, 16 of which were critical.

Other Flaws

Also fixed were critical flaws tied to three CVEs in Bridge, Adobe’s asset management app. These include an out-of-bounds read flaw (CVE-2020-9675) and out-of-bounds write issues (CVE-2020-9674, CVE-2020-9676) that could enable code execution. Adobe Bridge versions 10.0.3 and earlier are affected; users can update to version 10.1.1 for a fix.

Adobe also issued patches for critical vulnerabilities in its Prelude app, which works with its Premiere Pro video editing app to allow users to tag media with metadata for searching, post-production workflows, and footage lifecycle management.

Prelude contains out-of-bounds read (CVE-2020-9677, CVE-2020-9679) and out-of-bounds write (CVE-2020-9678, CVE-2020-9680) glitches that can allow code execution. Adobe Preluade versions 9.0 and earlier for Windows are affected; users can update to version 9.0.1.

Powell was also credited with reporting the additional critical flaws.

Adobe also issued patches for an “important” severity flaw in Adobe Reader Mobile for Android, which allows users to view and edit PDFs from their smartphones. The application has a directory traversal issue (CVE-2020-9663) enabling information disclosure in the context of the current user. Adobe Reader Mobile for Android, versions 20.0.1 and earlier are impacted. Users can update to version 20.3 (for all Android versions).

Suggested articles

Discussion

  • Brad Trent on

    Well…security issues aside, one thing that hasn’t been fixed is the bug that causes metadata shown in the ‘File Info’ pull down menu to be completely random and non-alphabetical! I’ve been dealing with this problem since I began using the most current update of Photoshop and after installing this latest update it still hasn’t been fixed. Under File Info, all saved metadata templates are totally out of order! Looking in their folder they are alphabetical, but pulling up File Info in Photoshop shows a complete jumble of over 700 saved names, so I now must slowly scroll through every entry until I come across the data file I'm looking for!  Since I first posted to the Photoshop forum to try to find a solution, I've spent hours searching for similar problems and came across the exact thing in Bridge from over two years ago... https://community.adobe.com/t5/bridge/sorting-metadata-templets/m-p/11280460#M19815 Since having 'File Info' list metadata randomly has been a problem in the past that had to be addressed in a software update, how is it that even after bringing this to Adobe's attention, it's still not fixed in the current version on Photoshop?!! Having to hunt & peck for a metadata file from a pull-down menu that show over 700+ random names not only screws up my workflow, but the frustration truly makes me wanna punch a wall!!!
  • Muhammad Muneeb on

    The latest release is more stable and reliable than the previous one. You can download it [link redacted]

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.