Adobe releases information updates for 59 bugs affecting its halfway products, including Adobe Acrobat Reader, XMP Toolkit SDK and Photoshop.
Adobe is urging its throngs of Acrobat Reader users to update their bundle to hole captious vulnerabilities that could let adversaries to execute arbitrary codification connected unpatched versions.
The warnings are portion of the firm’s September monthly information update, which this period addresses 59 bugs recovered successful 15 of its products, including successful Photoshop, Premiere Elements, ColdFusion and InCopy.
In all, 36 of the vulnerabilities are rated “critical,” which is an Adobe-specific statement indicating that the flaws, if exploited, “would let malicious native-code to execute, perchance without a idiosyncratic being aware.”
As for the Adobe Acrobat household of software, 26 bugs were patched, 13 of which were captious and fixed an Adobe precedence standing of “2,” meaning that the affected merchandise is astatine “elevated risk” of being attacked.
Other high-rated bugs see a bevy of codification execution vulnerabilities triggered via a benignant confusion, heap-based buffer overflow oregon a use-after-free benignant of attack.
“[One] azygous bug fixed by [a] Photoshop spot could … pb to codification execution erstwhile opening a specially crafted file,” commented Zero-Day Initiative successful a Tuesday post.
“If you’re inactive utilizing ColdFusion, you’ll decidedly privation to spot the 2 captious rated information diagnostic bypass bugs being fixed today,” ZDI continued.
Of those Adobe bugs rated the highest successful severity – erstwhile it comes to MITRE’s Common Vulnerability Scoring System (CVSS) – standouts see a Framemaker bug (CVE-2021-39830) rated 8.8. Another 8.8 high-severity bug (CVE-2021-39820), similar the former, allows a menace histrion to execute codification arbitrarily successful versions of Adobe InDesign.
Next, successful presumption of high-severity CVSS scores, is simply a flaw successful Adobe Digital Editions, rated 8.6 successful severity. The vulnerability (CVE-2021-39826) is described arsenic an OS command-injection bug.
“The bundle constructs each oregon portion of an OS bid utilizing externally-influenced input from an upstream component, but it does not neutralize oregon incorrectly neutralizes peculiar elements that could modify the intended OS bid erstwhile it is sent to a downstream component,” MITRE explained about the Digital Editions flaw.
None of the bugs fixed by Adobe this period are believed to beryllium publically known oregon nether progressive attack, according to Adobe.
It’s clip to germinate menace hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided circuit of the acheronian web and larn however to way menace actors earlier their adjacent attack. REGISTER NOW for the LIVE treatment connected Sept. 22 astatine 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, on with autarkic researcher and vCISO Chris Roberts and Threatpost big Becky Bracken.