Adobe issued out-of-band patches for critical flaws tied to 12 CVEs in Photoshop and other purposes.
Adobe launched a slew of patches for critical vulnerabilities Tuesday that ended up part of an out-of-band security update. Several of the critical flaws are tied to Adobe’s well known Photoshop picture-modifying application and enable adversaries to execute arbitrary code on qualified Windows gadgets.
Over-all, Adobe issued patches for flaws tied to 12 CVEs throughout Bridge, Prelude and Photoshop programs. The unscheduled updates arrive a week just after Adobe issued its official July 2020 security updates, together with critical code-execution bugs.
Adobe stated it was not informed of any exploits in the wild for any of the bugs patched in the update. The company did not offer technological particulars with regards to the Photoshop CVEs.
Threatpost reached out to Mat Powell, researcher with Craze Micro’s Zero Working day Initiative, who is credited for discovering every single of the critical flaws. Powell has not responded to that request. Threatpost hopes to update this report with more commentary from the researcher.
All of the reported critical flaws stem from out-of-bounds go through and create vulnerabilities, which manifest when the software reads facts past the conclude of – or just before the commencing of – the intended buffer, likely ensuing in corruption of delicate information, a crash, or code execution between other matters.
Adobe Photoshop features two out-of-bounds go through flaws (CVE-2020-9683, CVE-2020-9686) and 3 out-of-sure create (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) issues. All of these could “lead to arbitrary code execution in the context of the recent person,” in accordance to Adobe.
The Photoshop vulnerabilities influence Photoshop CC 2019 variations 20..9 and earlier and Photoshop 2020 21.2 and before (for Windows). People can update to variations 20..10 and 21.2.1, respectively.
Adobe has beforehand tackled numerous significant flaws in its Photoshop photo modifying application, together with dozens of arbitrary code-execution issues in March – which tackled 22 CVEs in Photoshop over-all, 16 of which ended up critical.
Also fixed ended up critical flaws tied to a few CVEs in Bridge, Adobe’s asset administration app. These contain an out-of-bounds go through flaw (CVE-2020-9675) and out-of-bounds compose issues (CVE-2020-9674, CVE-2020-9676) that could allow code execution. Adobe Bridge variations 10..3 and previously are affected customers can update to edition 10.1.1 for a resolve.
Adobe also issued patches for critical vulnerabilities in its Prelude application, which works with its Premiere Pro video clip enhancing application to permit consumers to tag media with metadata for looking, write-up-output workflows, and footage lifecycle management.
Prelude is made up of out-of-bounds read (CVE-2020-9677, CVE-2020-9679) and out-of-bounds write (CVE-2020-9678, CVE-2020-9680) glitches that can permit code execution. Adobe Preluade variations 9.0 and earlier for Windows are affected buyers can update to model 9..1.
Powell was also credited with reporting the more critical flaws.
Adobe also issued patches for an “important” severity flaw in Adobe Reader Cellular for Android, which permits buyers to look at and edit PDFs from their smartphones. The application has a directory traversal issue (CVE-2020-9663) enabling data disclosure in the context of the current consumer. Adobe Reader Cellular for Android, versions 20..1 and before are impacted. End users can update to edition 20.3 (for all Android variations).