Adobe’s Surprise Security Bulletin Dominated by Critical Patches

Out of 92 security vulnerabilities, 66 are rated critical in severity, mostly allowing code execution. The most severe can lead to information disclosure.

Adobe has dropped a mammoth out-of-band security update this week, addressing 92 vulnerabilities across 14 products.

The majority of the disclosed bugs are critical-severity problems, and most allow arbitrary code execution (ACE). Privilege escalation, denial-of-service and memory leaks/information disclosure are all well-represented, as well.

Adobe After Effects, Animate, Audition, Bridge, Character Animator, Illustrator, InDesign, Lightroom Classic, Media Encoder, Photoshop, Prelude, Premiere Pro, Premiere Elements and the XMP Toolkit SDK all received patches.

Infosec Insiders Newsletter

There’s plenty of commonality across the advisories. For instance, the lion’s share of the bugs allow access to a memory location after the end of a buffer, leading to ACE (a type of memory issue that can be exploited, like a standard buffer overflow in the worst-case scenario).

Also, almost all of the critical problems rate 7.8 on the CVSS vulnerability severity scale, except for one type. The advisory lists “NULL pointer dereference bugs causing memory leak” flaws as the most severe issues in the bunch, all rating 8.3 on the CVSS scale. These pop up in Bridge, Media Encoder, Prelude and Premiere Elements (and are italicized, below).

Adobe October Out-of-Band CVEs

Here’s the full breakdown of the critical bugs:

After Effects:

  • CVE-2021-40751, CVE-2021-40752, CVE-2021-40753, CVE-2021-40754, CVE-2021-40755, CVE-2021-40757, CVE-2021-40758, CVE-2021-40759, CVE-2021-40760 (Access of Memory Location After End of Buffer/ACE)

Animate:

  • CVE-2021-40733, CVE-2021-42266, CVE-2021-42267 (Access of Memory Location After End of Buffer/ACE)
  • CVE-2021-42268 (NULL Pointer Dereference/ACE)
  • CVE-2021-42269 (Use After Free/ACE)
  • CVE-2021-42270, CVE-2021-42271, CVE-2021-42272, CVE-2021-42524 (Out-of-Bounds Write/ACE)

Audition:

  • CVE-2021-40734, CVE-2021-40735, CVE-2021-40736, CVE-2021-40738, CVE-2021-40739, CVE-2021-40740 (Access of Memory Location After End of Buffer/ACE)

Bridge:

  • CVE-2021-40750 (NULL Pointer Dereference/memory leak)
  • CVE-2021-42533 (Double Free/ACE)
  • CVE-2021-42722, CVE-2021-42720, CVE-2021-42719 (Out-of-Bounds Read/ACE)
  • CVE-2021-42728 (Buffer Overflow/ACE)
  • CVE-2021-42724, CVE-2021-42729, CVE-2021-42730 (Access of Memory Location After End of Buffer/ACE)

Character Animator:

  • CVE-2021-40763, CVE-2021-40764, CVE-2021-40765 (Access of Memory Location After End of Buffer/ACE)

Illustrator:

  • CVE-2021-40718 (Out-of-Bounds Read/memory leak)
  • CVE-2021-40746 (Out-of-Bounds Read/ACE)

InDesign:

  • CVE-2021-42732 (Access of Memory Location After End of Buffer/ACE)
  • CVE-2021-42731 (Buffer Overflow/ACE)

Lightroom Classic:

  • CVE-2021-40776 (Creation of Temporary File in Directory with Incorrect Permissions/privilege escalation)

Media Encoder:

  • CVE-2021-40778 (NULL Pointer Dereference/memory leak)
  • CVE-2021-40777, CVE-2021-40779, CVE-2021-40780 (Access of Memory Location After End of Buffer/ACE)

Photoshop:

  • CVE-2021-42735 (Access of Memory Location After End of Buffer/ACE)
  • CVE-2021-42736 (Buffer Overflow/ACE)

Prelude:

  • CVE-2021-40773 (NULL Pointer Dereference/memory leak)
  • CVE-2021-42733 (Improper Input Validation/ACE)
  • CVE -2021-40775, CVE-2021-42738, CVE-2021-42737, CVE-2021-40772, CVE-2021-40771 (Access of Memory Location After End of Buffer/ACE)

Premiere Elements:

  • CVE-2021-40785 (NULL Pointer Dereference/memory leak)
  • CVE-2021-40786, CVE-2021-40787, CVE-2021-42526, CVE-2021-42527 (Access of Memory Location After End of Buffer/ACE)

Premiere Pro:

  • CVE-2021-40792, CVE-2021-40793, CVE-2021-40794 (Access of Memory Location After End of Buffer/ACE)

XMP Toolkit SDK:

  • CVE-2021-42529, CVE-2021-42530, CVE-2021-42531, CVE-2021-42532 (Stack-Based Buffer Overflow/ACE)

This bulletin was prompted by findings from two teams that deserve busy-beaver awards: Adobe variously credited researchers from TopSec Alpha Team and Trend Micro’s Zero-Day Initiative (ZDI) for most of the bugs, except for CVE-2021-40746 in Illustrator, credited to “Tmgr.” This could also explain some of the commonalities in the bulletins.

“Of the patches released by Adobe, nine of these came through the ZDI program,” Dustin Childs of ZDI told Threatpost. “Most of these are simple file-parsing bugs, but there are a couple of critical-rated out-of-bounds (OOB) write bugs as well. For these, the vulnerability results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage these bugs to execute code in the context of the current process.”

The fixes come two weeks after Adobe released its normal monthly Patch Tuesday patches. A company spokesperson characterized the release as “planned” rather than an emergency response – and indeed, Adobe said in its advisories that there’s no evidence that any of the bugs are being exploited in the wild.

“While we strive to release regularly scheduled updates on Patch Tuesday, occasionally these regularly scheduled security updates are released on non-Patch Tuesday dates,” a company spokesperson told the Register.

Of note: The advisory for Bridge is listed as priority 2 for patching, which in Adobe parlance means that the product has historically been at elevated risk for exploitation, so it comes with a recommendation that administrators patch within 30 days. The other advisories are priority 3, which is the lowest risk level, meaning that administrators can patch “at their discretion.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.