Adobe has dropped a mammoth out-of-band security update this week, addressing 92 vulnerabilities across 14 products.
The majority of the disclosed bugs are critical-severity problems, and most allow arbitrary code execution (ACE). Privilege escalation, denial-of-service and memory leaks/information disclosure are all well-represented, as well.
Adobe After Effects, Animate, Audition, Bridge, Character Animator, Illustrator, InDesign, Lightroom Classic, Media Encoder, Photoshop, Prelude, Premiere Pro, Premiere Elements and the XMP Toolkit SDK all received patches.
There’s plenty of commonality across the advisories. For instance, the lion’s share of the bugs allow access to a memory location after the end of a buffer, leading to ACE (a type of memory issue that can be exploited, like a standard buffer overflow in the worst-case scenario).
Also, almost all of the critical problems rate 7.8 on the CVSS vulnerability severity scale, except for one type. The advisory lists “NULL pointer dereference bugs causing memory leak” flaws as the most severe issues in the bunch, all rating 8.3 on the CVSS scale. These pop up in Bridge, Media Encoder, Prelude and Premiere Elements (and are italicized, below).
Here’s the full breakdown of the critical bugs:
After Effects:
Animate:
Audition:
Bridge:
Character Animator:
Illustrator:
InDesign:
Lightroom Classic:
Media Encoder:
Photoshop:
Prelude:
Premiere Elements:
Premiere Pro:
XMP Toolkit SDK:
This bulletin was prompted by findings from two teams that deserve busy-beaver awards: Adobe variously credited researchers from TopSec Alpha Team and Trend Micro’s Zero-Day Initiative (ZDI) for most of the bugs, except for CVE-2021-40746 in Illustrator, credited to “Tmgr.” This could also explain some of the commonalities in the bulletins.
“Of the patches released by Adobe, nine of these came through the ZDI program,” Dustin Childs of ZDI told Threatpost. “Most of these are simple file-parsing bugs, but there are a couple of critical-rated out-of-bounds (OOB) write bugs as well. For these, the vulnerability results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage these bugs to execute code in the context of the current process.”
The fixes come two weeks after Adobe released its normal monthly Patch Tuesday patches. A company spokesperson characterized the release as “planned” rather than an emergency response – and indeed, Adobe said in its advisories that there’s no evidence that any of the bugs are being exploited in the wild.
“While we strive to release regularly scheduled updates on Patch Tuesday, occasionally these regularly scheduled security updates are released on non-Patch Tuesday dates,” a company spokesperson told the Register.
Of note: The advisory for Bridge is listed as priority 2 for patching, which in Adobe parlance means that the product has historically been at elevated risk for exploitation, so it comes with a recommendation that administrators patch within 30 days. The other advisories are priority 3, which is the lowest risk level, meaning that administrators can patch “at their discretion.”
_Check out our free _upcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.