Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Calls Attention to Massive Batch of Code Execution Flaws

Patch Tuesday: Adobe patches 72 security vulnerabilities and warns that Windows and macOS users are at risk of code execution, memory leaks, and denial-of-service attacks.

Adobe Acrobat vulnerability exploited

Adobe on Tuesday released fixes for at least 72 security vulnerabilities across multiple products and warned that Windows and macOS users are at risk of code execution, memory leaks, and denial-of-service attacks.

The Patch Tuesday rollout addresses critical security defects in Adobe Acrobat and Reader, Illustrator, Photoshop, InDesign, Adobe Commerce, and Dimension and the company is warning that the most severe of these vulnerabilities could allow attackers to take complete control of a target machine.

Adobe documented at least 12 flaws in the widely deployed Adobe Acrobat and Reader software that could expose users to code execution, privilege escalation, and memory leaks. 

Affected versions include Acrobat DC, Acrobat 2024, and Acrobat 2020 on both Windows and macOS platforms. 

The Adobe Illustrator product was also given a major security update to cover at least 7 documented vulnerabilities on both Windows and macOS systems. Adobe said the Illustrator flaws, rated critical, also introduces code execution risks.

Here’s the raw details on the rest of the Adobe updates:

Adobe Dimension 

  • Affected Versions: Adobe Dimension 3.4.11 and earlier
  • CVE Numbers: CVE-2024-34124, CVE-2024-34125, CVE-2024-34126, CVE-2024-20789, CVE-2024-20790, CVE-2024-41865
  • Impact: Arbitrary code execution, memory leak
  • Platform: Windows and macOS
  • Recommendation: Update to Adobe Dimension Version 4.0.2

Adobe Photoshop

  • Affected Versions: Photoshop 2023: Version 24.7.3 and earlier; Photoshop 2024: Version 25.9.1 and earlier
  • CVE Number: CVE-2024-34117
  • Impact: Arbitrary code execution
  • Platform: Windows and macOS
  • Recommendation: Update to Photoshop 2023 Version 24.7.4 or Photoshop 2024 Version 25.11

Adobe InDesign 

  • Affected Versions: InDesign ID19.4 and earlier; InDesign ID18.5.2 and earlier
  • 13 documented flaws: CVE-2024-39389, CVE-2024-39390, CVE-2024-39391, CVE-2024-41852, CVE-2024-41853, CVE-2024-39393, CVE-2024-39394, CVE-2024-41850, CVE-2024-41851, CVE-2024-39395, CVE-2024-3412, CVE-2024-41854, CVE-2024-41866
  • Impact: Arbitrary code execution, memory leak, application denial-of-service
  • Platform: Windows and macOS
  • Update Recommendation: Update to InDesign ID19.5 or InDesign ID18.5.3

Adobe Bridge

  • Affected Versions: Bridge 13.0.8 and earlier; Bridge 14.1.1 and earlier
  • CVE Numbers: CVE-2024-39386, CVE-2024-39387, CVE-2024-41840
  • Impact: Arbitrary code execution, memory leak
  • Platform: Windows and macOS
  • Recommendation: Update to Bridge 13.0.9 or Bridge 14.1.2

Adobe Substance 3D Stager 

  • Affected Versions: Substance 3D Stager 3.0.2 and earlier
  • CVE Number: CVE-2024-39388
  • Impact: Arbitrary code execution
  • Platform: Windows and macOS
  • Update Recommendation: Update to Substance 3D Stager Version 3.0.3

Adobe Commerce 

  • Affected Versions: Adobe Commerce: Versions 2.4.7-p1 and earlier; Magento Open Source: Versions 2.4.7-p1 and earlier
  • CVE Numbers: CVE-2024-39397, CVE-2024-39398, CVE-2024-39399, CVE-2024-39400, CVE-2024-39401, CVE-2024-39402, CVE-2024-39403, CVE-2024-39406, CVE-2024-39404, CVE-2024-39405, CVE-2024-39407, CVE-2024-39408, CVE-2024-39409, CVE-2024-39410, CVE-2024-39411, CVE-2024-39412, CVE-2024-39413, CVE-2024-39414, CVE-2024-39415, CVE-2024-39416, CVE-2024-39417, CVE-2024-39418, CVE-2024-39419
  • Impact: Arbitrary code execution, privilege escalation, security feature bypass
  • Platform: All
  • Recommendation: Update to the latest Adobe Commerce or Magento Open Source versions

 Adobe InCopy 

  • Affected Versions: InCopy 19.4 and earlier; InCopy 18.5.2 and earlier
  • CVE Number: CVE-2024-41858
  • Impact: Arbitrary code execution
  • Platform: Windows and macOS
  • Recommendation: Update to InCopy Version 19.5 or Version 18.5.3

Adobe Substance 3D Sampler 

  • Affected Versions: Substance 3D Sampler 4.5 and earlier
  • CVE Numbers: CVE-2024-41860, CVE-2024-41861, CVE-2024-41862, CVE-2024-41863
  • Impact: Arbitrary code execution, memory leak
  • Platform: All
  • Recommendation: Update to Substance 3D Sampler Version 4.5.1

Adobe Substance 3D Designer

  • Affected Versions: Substance 3D Designer 13.1.2 and earlier
  • CVE Number: CVE-2024-41864
  • Impact: Arbitrary code execution
  • Platform: All
  • Recommendation: Update to Substance 3D Designer Version 13.1.3

Adobe said it was not aware of any of the documented vulnerabilities being exploited prior to the availability of patches.

Related: Recent Adobe Commerce Vulnerability Exploited in Wild

Advertisement. Scroll to continue reading.

Related: Adobe Issues Critical Product Patches, Warns of Code Execution Risks

Related: Adobe Ships Hefty Batch of Security Patches

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.