Adobe Warns Windows, macOS Users of Critical-Severity Flaws

Adobe Devices has stomped out critical-severity flaws throughout its Adobe Prelude, Adobe Encounter Manager and Adobe Lightroom applications. If exploited, the significant vulnerabilities could guide to arbitrary code execution.

Total, Adobe issued patches for flaws tied to a single important-rated and three critical-severity CVEs, throughout its often scheduled December security updates. Which is less bugs than the company’s November consistently scheduled security updates, which patched vulnerabilities tied to 11 CVEs.

“Adobe is not knowledgeable of any exploits in the wild for any of the issues dealt with in these updates,” in accordance to Adobe’s Tuesday security update.

This month’s Adobe patch roundup incorporated a critical cross-web-site scripting (XSS) vulnerability in Adobe Encounter Manager (AEM), the company’s content material-management option for setting up web-sites, mobile applications and kinds. If exploited, the vulnerability (CVE-2020-24445) could allow a poor actor to execute arbitrary JavaScript on the victim’s browser.

AEM CS, AEM 6.5.6. and before, AEM 6.4.8.2 and before and AEM 6.3.3.8 and earlier are affected AEM end users can update to the fixed AEM versions, down below. The update is a “priority 2” which in accordance to Adobe resolves flaws in a solution that “has traditionally been at elevated risk” – but for which there are at the moment no acknowledged exploits.

An vital-severity flaw also exists in AEM (CVE-2020-24444), which stems from blind server-side request forgery (SSRF). Blind SSRF takes place when an software can be manipulated to issue a back again-close HTTP request to a equipped URL, but the response from the back again-conclude request is not returned in the application’s entrance-conclude response. This issue can end result in delicate knowledge disclosure, in accordance to Adobe.

Adobe also dealt with a critical vulnerability in its Lightroom Vintage for Windows and macOS, which if exploited could enable arbitrary code execution in the context of the latest person. Lightroom Common is Adobe’s desktop application enabling photo editing.

The flaw stems from an uncontrolled search route element in Lightroom Common, version 10. and earlier of Windows. An uncontrolled search path is a weak spot that occurs when purposes use preset research paths to uncover assets – but one particular or additional spots of the route are under management of malicious user. In the situation of this flaw (CVE-2020-24447) in Lightroom Traditional, the issue could help arbitrary code execution.

Adobe urged Lightroom Typical people on the Windows and MacOS platforms to update to model 10.1. The update is a “priority 3” update, which means it exists in a solution that “has historically not been a concentrate on for attackers,” according to Adobe.

“Adobe endorses administrators put in the update at their discretion,” according to the update.

A ultimate critical vulnerability was patched in Adobe Prelude, Adobe’s logging tool for tagging media with metadata for seeking, article-production workflows and footage lifecycle administration. This vulnerability is a further uncontrolled look for route (CVE-2020-24440) that influences Adobe Prelude variation 9..1 and before for Windows. If exploited, the flaw could empower arbitrary code execution.

Buyers are urged to update to Adobe Prelude model 9..2 for Windows and macOS in what Adobe prescribes a “priority 3” update rating.

Adobe Systems has dealt with various security issues above the past handful of months. In November, the organization mounted critical-severity flaws tied to four CVEs in the Windows and macOS versions of its Acrobat and Reader loved ones of software computer software companies all of which could be exploited to execute arbitrary code on afflicted products and solutions. In Oct, following warning of a critical vulnerability in its Flash Participant software for people on Windows, macOS, Linux and ChromeOS working units, Adobe launched 18 out-of-band security patches in 10 unique software deals, which includes fixes for critical vulnerabilities that stretch across its item suite. Adobe Illustrator was hit the most difficult.

Place Ransomware on the Run: Save your location for “What’s Up coming for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware planet and how to fight again. 

Get the most recent from John (Austin) Merritt, Cyber Menace Intelligence Analyst at Electronic Shadows, and Israel Barak, CISO at Cybereason, on new varieties of attacks. Matters will include the most hazardous ransomware danger actors, their evolving TTPs and what your organization needs to do to get ahead of the subsequent, unavoidable ransomware attack. Sign up here for the Wed., Dec. 16 for this LIVE webinar.