Adobe Discloses Critical Code-Execution Bugs in July Update

Adobe has released its scheduled July 2020 security updates, covering flaws in five different product areas: Creative Cloud Desktop; Media Encoder; Download Manager; Genuine Service; and ColdFusion.

Four of the bugs are rated critical in severity, with the others ranked as important. Most of the important flaws involve privilege escalation, with the critical bugs opening the door to more dangerous attacks.

“Updates to both Adobe Download Manager and Media Encoder address critical vulnerabilities (CVE-2020-9688, 9646, and 9650) that could lead to arbitrary code execution,” Justin Knapp, product marketing manager at Automox, told Threatpost. “The fourth critical vulnerability (CVE-2020-9682) impacts Creative Cloud Desktop, and if exploited, could allow an attacker to create or modify files.”

Creative Cloud Desktop

Adobe has released patches for four different flaws in its Creative Cloud Desktop Application for Windows, including a critical flaw allowing arbitrary file system writes.

Creative Cloud is a suite of apps and services for creating and processing video, design, photography and web art. Affected versions of the product include Creative Cloud Desktop Application 5.1 and earlier, Adobe noted in its scheduled monthly security update on Tuesday.

The critical flaw is a symbolic link (symlink) vulnerability (CVE-2020-9682) that could allow an attacker with a successful exploit to create or modify a file in a location they could not normally access. Symlinks are shortcuts to other files.

“While this is a critical vulnerability, Adobe has ranked it a 2, which means these systems could be at an increased risk based on past history, then again for this particular vulnerability there are no current known exploits,” said Jimmy Graham, senior director of product management, after reviewing the advisory.

The patches also address three important-rated security bugs, all of which could lead to privilege escalation in the context of the current user. The bug tracked as CVE-2020-9669 is caused due to a lack of exploit mitigations; CVE-2020-9671 is caused via insecure file permissions; and CVE-2020-9670 is another, less severe symlink vulnerability.

Acknowledgements for finding the flaws went to Xavier Danest of Decathlon (CVE-2020-9671); and Zhongcheng Li of Topsec Alpha Team (CVE-2020-9669, CVE-2020-9670 and CVE-2020-9682).

Media Encoder

Adobe also released an update for Adobe Media Encoder for Windows, 14.2 and earlier versions. Media Encoder is part of Adobe’s video-editing suite and is responsible for converting video files to the proper format to ensure they play well on different kinds of devices.

The advisory addresses two critical out-of-bounds write bugs (CVE-2020-9650 and CVE-2020-9646) that could lead to arbitrary code execution; and an important out-of-bound read (CVE-2020-9649) that could allow information disclosure in the context of the current user.

“On its own, arbitrary code-execution exploits are limited in scope to the privilege of the affected process, but when combined with privilege escalation vulnerabilities it can allow an attacker to quickly escalate a process’s privileges and execute code on the target system giving the attacker full control over the device,” Knapp said.

Adobe credited the Trend Micro Zero Day Initiative for reporting the issues.

Download Manager

Also among the security fixes is a patch for a critical vulnerability that could lead to arbitrary code-execution in Adobe Download Manager for Windows. The bug (CVE-2020-9688) affects version 2.0.0.518 of the platform.

The issue allows for command injection if exploited, which could ultimately open the door to arbitrary code-execution.

Security researcher Dhiraj Mishra (@RandomDhiraj) reported the issue.

Genuine Service

The Adobe Genuine Service for Windows and macOS meanwhile, which periodically validates already-installed Adobe software to root out incorrect and invalid licenses, and pirated software, has three important vulnerabilities.

These could all lead to privilege escalation in the context of the current user. They include two insecure library loading bugs (CVE-2020-9667 and CVE-2020-9681); and one is a result of the mishandling of symlinks (CVE-2020-9668)

They affect Genuine Service versions 6.6 and earlier versions, according to Adobe’s update.

Adobe credited Adrian Denkiewicz from CQURE (CVE-2020-9667) and Topsec Alpha Team’s Li (CVE-2020-9668, CVE-2020-9681) for the finds.

Adobe ColdFusion

And finally, Adobe also released patches for multiple important vulnerabilities in ColdFusion versions 2016 (Update 15 and earlier) and 2018 (Update 9 and earlier). ColdFusion is the vendor’s popular platform for building and deploying web and mobile applications.

Two CVEs cover flaws allowing DLL search-order hijacking, leading to privilege escalation (CVE-2020-9672 and CVE-2020-9673). The bugs were reported by Nuttakorn Tungpoonsup and Ammarit Thongthua of the Secure D Center Research Team, along with Sittikorn Sangrattanapitak, an independent cybersecurity researcher.

The July patch update is light compared to Adobe’s usual slew of monthly security fixes, but that may be because the company issued an out-of-band update for 18 critical vulnerabilities in mid-June. These impacted a raft of key products, including Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush and Audition. With successful exploits, the flaws would allow attackers to execute arbitrary code.

“The Adobe bulletin list for this month is pretty light and none of the more high-profile targets are included,” Chris Goettl, director of product management for security at Ivanti, told Threatpost. “Flash player has a release as well, but it is not security-related. Adobe Acrobat and Reader were updated in May so it is likely we will see the due for some attention in the August patch cycle.”

As for July’s updates, administrators should nonetheless prioritize applying the patches ASAP, Knapp said.

“With the average organization taking 107 days to patch a new vulnerability, it is likely that there are now many organizations with both arbitrary code-execution and privilege-escalation vulnerabilities present on corporate devices that could create a perfect storm for attackers to exploit,” he told Threatpost.

_BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a _FREE webinar_, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. _Click here to register_ for this Threatpost webinar, sponsored by Valimail._