Adobe Patches 18 Critical Flaws in Out-Of-Band Update


Adobe patched 18 critical vulnerabilities Tuesday impacting key products Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition. The out-of-band fixes address vulnerabilities allowing an attacker to execute arbitrary code, if bugs are exploited. In its [security bulletin Adobe](<https://blogs.adobe.com/psirt/?p=1884>) said it was not aware of any exploits in the wild for any of the bugs. Five of the critical flaws were discovered in [versions 17.1 and earlier](<https://helpx.adobe.com/security/products/after_effects/apsb20-35.html>) of After Effects. Users are encouraged to update to version 17.1.1. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) The After Effects flaws include an out-of-bounds read vulnerability (CVE-2020-9661), out-of-bounds write vulnerabilities (CVE-2020-9660, CVE-2020-9662) and heap overflow flaws ( CVE-2020-9637, CVE-2020-9638). Adobe Illustrator received five patches, including one for a buffer error (CVE-2020-9642) and memory corruption bugs (CVE-2020-9575, CVE-2020-9641, CVE-2020-9640, CVE-2020-9639). Versions 24.1.2 and earlier [of Illustrator 2020](<https://helpx.adobe.com/security/products/illustrator/apsb20-37.html>) are affected, version 24.2 of the popular illustration app has fixed the issues. Adobe also patched three flaws in versions 1.5.12 and earlier of [Premiere Rush](<https://helpx.adobe.com/security/products/premiere_rush/apsb20-39.html>), Adobe’s video editing app. The flaws were fixed in version 1.5.16. They included two out-of-bounds write (CVE-2020-9656, CVE-2020-9657) and an out-of-bounds read flaw (CVE-2020-9655). And, Adobe patched three flaws [in Premiere Pro](<https://helpx.adobe.com/security/products/premiere_pro/apsb20-38.html>), another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). These include out-of-bounds write (CVE-2020-9653, CVE-2020-9654) and out-of-bounds read (CVE-2020-9652) vulnerabilities. Adobe Premiere Pro versions 14.2 and earlier are affected; users are urged to update to version 14.3. Finally, versions 13.0.6 and earlier of Adobe’s audio app, Audition, had [two critical](<https://helpx.adobe.com/security/products/audition/apsb20-40.html>) out-of-bounds write flaws (CVE-2020-9658, CVE-2020-9659). These flaws were fixed in version 13.0.7 for Windows and macOS. An “important” severity [out-of-bounds read bug](<https://helpx.adobe.com/security/products/campaign/apsb20-34.html>) (CVE-2020-9666) enabling information disclosure was also patched in Adobe Campaign Classic, its marketing campaign management application. The out-of-band update comes a week after Adobe’s scheduled patches, where it stomped out [four critical flaws](<https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/>) in Flash Player and in its Framemaker document processor. **_Insider threats are different in the work-from home era. On _**[**_June 24 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “_**_**The Enemy Within: How Insider Threats Are Changing.” **_**_Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it_**_**. **_[**_Please register here_**](<https://attendee.gotowebinar.com/register/3265005683762389007?source=ART>)**_ for this Threatpost webinar._**