Adobe Patches 18 Critical Flaws in Out-Of-Band Update

Critical vulnerabilities were patched in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition.

Adobe patched 18 critical vulnerabilities Tuesday impacting key products Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition. The out-of-band fixes address vulnerabilities allowing an attacker to execute arbitrary code, if bugs are exploited.

In its security bulletin Adobe said it was not aware of any exploits in the wild for any of the bugs.

Five of the critical flaws were discovered in versions 17.1 and earlier of After Effects. Users are encouraged to update to version 17.1.1.

The After Effects flaws include an out-of-bounds read vulnerability (CVE-2020-9661), out-of-bounds write vulnerabilities (CVE-2020-9660, CVE-2020-9662) and heap overflow flaws ( CVE-2020-9637, CVE-2020-9638).

Adobe Illustrator received five patches, including one for a buffer error (CVE-2020-9642) and memory corruption bugs (CVE-2020-9575, CVE-2020-9641, CVE-2020-9640, CVE-2020-9639).  Versions 24.1.2 and earlier of Illustrator 2020 are affected, version 24.2 of the popular illustration app has fixed the issues.

Adobe also patched three flaws in versions 1.5.12 and earlier of Premiere Rush, Adobe’s video editing app. The flaws were fixed in version 1.5.16. They included two out-of-bounds write (CVE-2020-9656, CVE-2020-9657) and an out-of-bounds read flaw (CVE-2020-9655).

Also read: 6 Simple Tips on Cyber Safety at Home

And, Adobe patched three flaws in Premiere Pro, another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). These include out-of-bounds write (CVE-2020-9653, CVE-2020-9654) and out-of-bounds read (CVE-2020-9652) vulnerabilities. Adobe Premiere Pro versions 14.2 and earlier are affected; users are urged to update to version 14.3.

Finally, versions 13.0.6 and earlier of Adobe’s audio app, Audition, had two critical out-of-bounds write flaws (CVE-2020-9658, CVE-2020-9659). These flaws were fixed in version 13.0.7 for Windows and macOS.

An “important” severity out-of-bounds read bug (CVE-2020-9666) enabling information disclosure was also patched in Adobe Campaign Classic, its marketing campaign management application.

The out-of-band update comes a week after Adobe’s scheduled patches, where it stomped out four critical flaws in Flash Player and in its Framemaker document processor.

FREE Webinar: Are you on top of the shifting insider threats within your business? On June 24 at 2 p.m. ET, join Threatpost and our panel of experts for a complimentary webinar, “The Enemy Within: How Insider Threats Are Changing.” Get exclusive insights on how remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. Please register here for this webinar.

Also read: Cost of GDPR Compliance for Singapore Companies


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *