Adobe released updates that patch critical remote code execution vulnerabilities besides other security flaws
Adobe released emergency updates for Adobe Illustrator, Adobe Bridge, and Magento e-commerce platforms. The update includes patches for 35 newly discovered vulnerabilities that were reported as critical. When one of the programs gets affected, multiple arbitrary codes can be easily executed or data infiltrated.
These remote code execution vulnerabilities are considered critical because remote attackers can launch commands on the security context of the exploited process. These bugs can lead to even data loss and breaches.
There are several Critical-rated CVEs being addressed that could allow a remote attacker to execute code on a system if a user opened a specially crafted file.
The biggest part of these flaws affects Adobe Bridge versions for macOS and Windows. This is the digital asset management software used by many companies and organizations. Seventeen flaws in Bridge that allow information disclosure and arbitrary code execution get fixed with this patch. Three of them are listed as important, the other ones as critical, so the update was out-of-band for a reason.
35 vulnerabilities and 25 out of them are deemed critical
The software developer released three separate security advisories addressing all 35 vulnerabilities, including 25 critical flaws. The most severe bugs out of these can cause major damage when exploited due to malicious code execution and information leaks.
Critical vulnerabilities involve mainly digital management app Adobe Bridge that is found vulnerable to 17 flaws, and 14 of them can lead to remote attacks and are critical, as security researchers discovered. The other ones are issues regarding information stealing. Bridge versions 10.0.4 and up have all these issues resolved, so install the needed patches.
The open-source platform of Magento CMS also received patches for 13 flaws: 6 critical, 4 important, and 3 moderate in severity. It is highly recommended to upgrade your e-commerce website to the latest version as soon as possible to avoid any issues related to Magento.
Five vulnerabilities in Adobe Illustrator also receive patches with this update. All of them are deemed critical due to malicious code execution risks. Versions of 2020 software that come from 24.1.2 have all the needed fixes. Besides these particular software flaws, Adobe update resolves authorization bypass, timing discrepancy, and stored XSS problems.
Account equivalent to administrative needed for code execution
Advisory noted that critical arbitrary code execution could only be exploited by actors that get the authenticated user accounts like compromised admin-equivalent account. Some of the issues very important and moderate severity flaws that do not require administrative rights. The attacker still needs to have access to low-privileged accounts to launch wanted commands.
These flaws were not the only ones that Adobe has patched recently. Even though this was not the regular update, during a regular release of security patches, Adobe managed to fix issues in ColdFusion, After Effects, and Digital Edition applications. Thes bugs could allow sensitive data viewing and launch of the denial-of-service attacks. Issues were marked as important-severity, marking the low-volume month for Adobe in vulnerability fixes.