Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Critical Flaws in Reader, ColdFusion, Other Products

Security updates released this week by Adobe address numerous critical and important vulnerabilities in Genuine Integrity Service, Acrobat and Reader, Photoshop, Experience Manager, ColdFusion, and Bridge.

Security updates released this week by Adobe address numerous critical and important vulnerabilities in Genuine Integrity Service, Acrobat and Reader, Photoshop, Experience Manager, ColdFusion, and Bridge.

Adobe Genuine Integrity Service for Windows was impacted by an important vulnerability that could allow an attacker to escalate privileges. Tracked as CVE-2020-3766, the issue was addressed in version 6.6 of the solution.

A total of 13 flaws were patched in Acrobat and Reader for Windows and macOS, nine of which are rated critical severity, leading to arbitrary code execution in the context of the current user. Rated important, the remaining four flaws could lead to information disclosure or privilege escalation.

The critical bugs include out-of-bounds write (CVE-2020-3795), stack-based buffer overflow (CVE-2020-3799), use-after-free (CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805), buffer overflow (CVE-2020-3807), and memory corruption (CVE-2020-3797).

Version 2020.006.20042 of Acrobat DC and Acrobat Reader DC, version 2017.011.30166 of Acrobat 2017 and Acrobat Reader 2017, and version 2015.006.30518 of Acrobat 2015 and Acrobat Reader 2015 resolve these vulnerabilities.

Adobe addressed 22 vulnerabilities in Photoshop for Windows and macOS, 16 of which are considered critical and could lead to arbitrary code execution, and six leading to information disclosure and rated important.

The critical bugs include one heap corruption, seven memory corruption issues, two out-of-bound write vulnerabilities, and six buffer errors. All of the important vulnerabilities are out-of-bound reads. Photoshop CC 2019 version 20.0.9 and Photoshop 2020 version 21.1.1 address all of these.

A single server-side request forgery (SSRF) vulnerability was patched in Adobe Experience Manager (AEM) with the release of Service Pack 6.5.4.0, Service Pack 6.4.8.0, and Cumulative Fix Pack 6.3.3.8.

Advertisement. Scroll to continue reading.

Adobe fixed two critical severity flaws with the release of ColdFusion 2016 Update 14 and ColdFusion 2018 Update 8. The first could result in arbitrary file read from the Coldfusion install directory (CVE-2020-3761), while the other could lead to arbitrary code execution involving files located in the webroot or its subdirectory (CVE-2020-3794).

Both of the two critical issues patched in Adobe Bridge version 10.0.3 for Windows and macOS could lead to arbitrary code execution. These flaws include an out-of-bounds write (CVE-2020-9551) and a heap-based buffer overflow (CVE-2020-9552).

Related: Adobe Patches 42 Vulnerabilities Across Five Products

Related: Adobe Patches Critical Flaws in Acrobat, Brackets, Photoshop

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.