Security updates released this week by Adobe address numerous critical and important vulnerabilities in Genuine Integrity Service, Acrobat and Reader, Photoshop, Experience Manager, ColdFusion, and Bridge.
Adobe Genuine Integrity Service for Windows was impacted by an important vulnerability that could allow an attacker to escalate privileges. Tracked as CVE-2020-3766, the issue was addressed in version 6.6 of the solution.
A total of 13 flaws were patched in Acrobat and Reader for Windows and macOS, nine of which are rated critical severity, leading to arbitrary code execution in the context of the current user. Rated important, the remaining four flaws could lead to information disclosure or privilege escalation.
The critical bugs include out-of-bounds write (CVE-2020-3795), stack-based buffer overflow (CVE-2020-3799), use-after-free (CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805), buffer overflow (CVE-2020-3807), and memory corruption (CVE-2020-3797).
Version 2020.006.20042 of Acrobat DC and Acrobat Reader DC, version 2017.011.30166 of Acrobat 2017 and Acrobat Reader 2017, and version 2015.006.30518 of Acrobat 2015 and Acrobat Reader 2015 resolve these vulnerabilities.
Adobe addressed 22 vulnerabilities in Photoshop for Windows and macOS, 16 of which are considered critical and could lead to arbitrary code execution, and six leading to information disclosure and rated important.
The critical bugs include one heap corruption, seven memory corruption issues, two out-of-bound write vulnerabilities, and six buffer errors. All of the important vulnerabilities are out-of-bound reads. Photoshop CC 2019 version 20.0.9 and Photoshop 2020 version 21.1.1 address all of these.
A single server-side request forgery (SSRF) vulnerability was patched in Adobe Experience Manager (AEM) with the release of Service Pack 6.5.4.0, Service Pack 6.4.8.0, and Cumulative Fix Pack 6.3.3.8.
Adobe fixed two critical severity flaws with the release of ColdFusion 2016 Update 14 and ColdFusion 2018 Update 8. The first could result in arbitrary file read from the Coldfusion install directory (CVE-2020-3761), while the other could lead to arbitrary code execution involving files located in the webroot or its subdirectory (CVE-2020-3794).
Both of the two critical issues patched in Adobe Bridge version 10.0.3 for Windows and macOS could lead to arbitrary code execution. These flaws include an out-of-bounds write (CVE-2020-9551) and a heap-based buffer overflow (CVE-2020-9552).
Related: Adobe Patches 42 Vulnerabilities Across Five Products
Related: Adobe Patches Critical Flaws in Acrobat, Brackets, Photoshop