Adobe Critical Code-Execution Flaws Plague Windows Users

Adobe has issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.

Affected products include Adobe’s Framemaker document processor, designed for writing and editing large or complex documents; Adobe’s Connect software used for remote web conferencing; and the Adobe Creative Cloud software suite for video editing.

“Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to an Adobe spokesperson.

While these vulnerabilities are classified as critical-severity flaws, it’s important to note that they were given “priority 3” ratings by Adobe. This means that the update “resolves vulnerabilities in a product that has historically not been a target for attackers,” and that administrators are urged to “install the update at their discretion.”

Adobe Framemaker Security Flaw

Adobe fixed a critical flaw (CVE-2021-21056) in Framemaker, which could allow for arbitrary code execution if exploited. The vulnerability is an out-of-bounds read error; which is a type of buffer-overflow flaw where the software reads data past the end of the intended buffer. An attacker who can read out-of-bounds memory might be able to get “secret values” (like memory addresses) that could ultimately allow him to achieve code execution or denial of service.

Adobe Framemaker version 2019.0.8 and below (for Windows) are affected by the flaw; a patch is issued in version 2020.0.2. Francis Provencher, working with Trend Micro’s Zero Day Initiative, is credited with finding the bug.

Creative Cloud Desktop Application For Windows

Adobe also fixed three critical vulnerabilities in the desktop application version of Adobe Creative Cloud for Windows users.

Two of the three critical flaws could enable arbitrary code execution: One of these (CVE-2021-21068) stems from an arbitrary file-overwrite hole, while the other (CVE-2021-21078) exists due to an OS command-injection error. The third critical flaw (CVE-2021-21069) stems from improper input validation and could allow an attacker to gain escalated privileges.

The Creative Cloud desktop application versions 5.3 and earlier are affected; fixes are released in version 5.4.

Adobe Connect Critical and Important Flaws

Several critical- and important-severity bugs were patched in Adobe Connect.

One critical bug (CVE-2021-21078) stemmed from improper input validation; this could allow for arbitrary code execution.

And, three important cross-site scripting (XSS) flaws (CVE-2021-21079, CVE-2021-21080, CVE-2021-21081) were patched. These could allow for arbitrary JavaScript execution in the victim’s browser, if exploited.

Adobe Connect version 11.0.5 and earlier are affected; the fix was released in version 11.2.

Adobe Security Updates Continue

This month’s regularly-scheduled security fixes come on the heels of an actively-exploited critical flaw in February, which attackers leveraged to target Adobe Reader users on Windows.

That bug (CVE-2021-21017) was exploited in “limited attacks,” according to Adobe’s monthly advisory, containing its regularly scheduled February updates. The flaw in question is a critical-severity heap-based buffer-overflow flaw.

Check out our free ****upcoming live webinar events****_ – unique, dynamic discussions with cybersecurity experts and the Threatpost community:_
· March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly(Learn more and register!)
· April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)