Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches Critical Flaws in Reader, ColdFusion, Other Products

Security updates released this week by Adobe address numerous critical and important vulnerabilities in Genuine Integrity Service, Acrobat and Reader, Photoshop, Experience Manager, ColdFusion, and Bridge.

Security updates released this week by Adobe address numerous critical and important vulnerabilities in Genuine Integrity Service, Acrobat and Reader, Photoshop, Experience Manager, ColdFusion, and Bridge.

Adobe Genuine Integrity Service for Windows was impacted by an important vulnerability that could allow an attacker to escalate privileges. Tracked as CVE-2020-3766, the issue was addressed in version 6.6 of the solution.

A total of 13 flaws were patched in Acrobat and Reader for Windows and macOS, nine of which are rated critical severity, leading to arbitrary code execution in the context of the current user. Rated important, the remaining four flaws could lead to information disclosure or privilege escalation.

The critical bugs include out-of-bounds write (CVE-2020-3795), stack-based buffer overflow (CVE-2020-3799), use-after-free (CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805), buffer overflow (CVE-2020-3807), and memory corruption (CVE-2020-3797).

Version 2020.006.20042 of Acrobat DC and Acrobat Reader DC, version 2017.011.30166 of Acrobat 2017 and Acrobat Reader 2017, and version 2015.006.30518 of Acrobat 2015 and Acrobat Reader 2015 resolve these vulnerabilities.

Adobe addressed 22 vulnerabilities in Photoshop for Windows and macOS, 16 of which are considered critical and could lead to arbitrary code execution, and six leading to information disclosure and rated important.

The critical bugs include one heap corruption, seven memory corruption issues, two out-of-bound write vulnerabilities, and six buffer errors. All of the important vulnerabilities are out-of-bound reads. Photoshop CC 2019 version 20.0.9 and Photoshop 2020 version 21.1.1 address all of these.

A single server-side request forgery (SSRF) vulnerability was patched in Adobe Experience Manager (AEM) with the release of Service Pack 6.5.4.0, Service Pack 6.4.8.0, and Cumulative Fix Pack 6.3.3.8.

Adobe fixed two critical severity flaws with the release of ColdFusion 2016 Update 14 and ColdFusion 2018 Update 8. The first could result in arbitrary file read from the Coldfusion install directory (CVE-2020-3761), while the other could lead to arbitrary code execution involving files located in the webroot or its subdirectory (CVE-2020-3794).

Both of the two critical issues patched in Adobe Bridge version 10.0.3 for Windows and macOS could lead to arbitrary code execution. These flaws include an out-of-bounds write (CVE-2020-9551) and a heap-based buffer overflow (CVE-2020-9552).

Related: Adobe Patches 42 Vulnerabilities Across Five Products

Related: Adobe Patches Critical Flaws in Acrobat, Brackets, Photoshop

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.