Critical Adobe Photoshop Flaws Patched in Emergency Update

2020-07-21T15:06:50
ID THREATPOST:935FDBA342DDD020D66B791DBE0AEA4D
Type threatpost
Reporter Lindsey O'Donnell
Modified 2020-07-21T15:06:50

Description

Adobe released a slew of patches for critical vulnerabilities Tuesday that were part of an out-of-band security update. Several of the critical flaws are tied to Adobe’s popular Photoshop photo-editing software and allow adversaries to execute arbitrary code on targeted Windows devices.

Overall, Adobe issued patches for flaws tied to 12 CVEs across Bridge, Prelude and Photoshop applications. The unscheduled updates come a week after Adobe issued its official July 2020 security updates, including critical code-execution bugs.

Adobe said it was not aware of any exploits in the wild for any of the bugs patched in the update. The company did not offer technical details regarding the Photoshop CVEs.

Threatpost reached out to Mat Powell, researcher with Trend Micro’s Zero Day Initiative, who is credited for finding each of the critical flaws. Powell has not responded to that request. Threatpost hopes to update this report with additional commentary from the researcher.

All of the reported critical flaws stem from out-of-bounds read and write vulnerabilities, which occur when the software reads data past the end of – or before the beginning of – the intended buffer, potentially resulting in corruption of sensitive information, a crash, or code execution among other things.

Adobe Photoshop features two out-of-bounds read flaws (CVE-2020-9683, CVE-2020-9686) and three out-of-bound write (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) issues. All of these could “lead to arbitrary code execution in the context of the current user,” according to Adobe.

The Photoshop vulnerabilities affect Photoshop CC 2019 versions 20.0.9 and earlier and Photoshop 2020 21.2 and earlier (for Windows). Users can update to versions 20.0.10 and 21.2.1, respectively.

Adobe has previously addressed various serious flaws in its Photoshop photo editing app, including dozens of arbitrary code-execution issues in March – which addressed 22 CVEs in Photoshop overall, 16 of which were critical.

Other Flaws

Also fixed were critical flaws tied to three CVEs in Bridge, Adobe’s asset management app. These include an out-of-bounds read flaw (CVE-2020-9675) and out-of-bounds write issues (CVE-2020-9674, CVE-2020-9676) that could enable code execution. Adobe Bridge versions 10.0.3 and earlier are affected; users can update to version 10.1.1 for a fix.

Adobe also issued patches for critical vulnerabilities in its Prelude app, which works with its Premiere Pro video editing app to allow users to tag media with metadata for searching, post-production workflows, and footage lifecycle management.

Prelude contains out-of-bounds read (CVE-2020-9677, CVE-2020-9679) and out-of-bounds write (CVE-2020-9678, CVE-2020-9680) glitches that can allow code execution. Adobe Preluade versions 9.0 and earlier for Windows are affected; users can update to version 9.0.1.

Powell was also credited with reporting the additional critical flaws.

Adobe also issued patches for an “important” severity flaw in Adobe Reader Mobile for Android, which allows users to view and edit PDFs from their smartphones. The application has a directory traversal issue (CVE-2020-9663) enabling information disclosure in the context of the current user. Adobe Reader Mobile for Android, versions 20.0.1 and earlier are impacted. Users can update to version 20.3 (for all Android versions).