Adobe releases security updates for 59 bugs impacting its main goods, which include Adobe Acrobat Reader, XMP Toolkit SDK and Photoshop.
Adobe is urging its throngs of Acrobat Reader users to update their computer software to deal with critical vulnerabilities that could let adversaries to execute arbitrary code on unpatched versions.
The warnings are section of the firm’s September month-to-month security update, which this month addresses 59 bugs discovered in 15 of its items, which includes in Photoshop, Premiere Elements, ColdFusion and InCopy.
In all, 36 of the vulnerabilities are rated “critical,” which is an Adobe-particular label indicating that the flaws, if exploited, “would permit destructive native-code to execute, possibly devoid of a user getting conscious.”
As for the Adobe Acrobat household of computer software, 26 bugs were patched, 13 of which have been critical and supplied an Adobe precedence ranking of “2,” indicating that the influenced products is at “elevated risk” of staying attacked.
Other substantial-rated bugs incorporate a bevy of code execution vulnerabilities triggered by way of a form confusion, heap-primarily based buffer overflow or a use-after-free of charge design and style of attack.
“[One] one bug set by [a] Photoshop patch could … direct to code execution when opening a specially crafted file,” commented Zero-Working day Initiative in a Tuesday publish.
“If you are nonetheless making use of ColdFusion, you’ll undoubtedly want to patch the two critical rated security feature bypass bugs getting fixed today,” ZDI continued.
Of those Adobe bugs rated the optimum in severity – when it comes to MITRE’s Widespread Vulnerability Scoring Technique (CVSS) – standouts consist of a Framemaker bug (CVE-2021-39830) rated 8.8. One more 8.8 high-severity bug (CVE-2021-39820), like the former, permits a threat actor to execute code arbitrarily in versions of Adobe InDesign.
Future, in conditions of high-severity CVSS scores, is a flaw in Adobe Digital Editions, rated 8.6 in severity. The vulnerability (CVE-2021-39826) is described as an OS command-injection bug.
“The program constructs all or element of an OS command making use of externally-influenced input from an upstream element, but it does not neutralize or incorrectly neutralizes special features that could modify the intended OS command when it is sent to a downstream part,” MITRE described about the Electronic Editions flaw.
None of the bugs preset by Adobe this month are thought to be publicly recognized or below active attack, in accordance to Adobe.
It’s time to evolve danger looking into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Looking to Catch Adversaries, Not Just Halt Attacks and get a guided tour of the dark web and learn how to monitor risk actors prior to their subsequent attack. REGISTER NOW for the Stay discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, alongside with impartial researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
Some areas of this posting are sourced from: