Adobe fixes critical bugs in Creative Cloud, Media Encoder

Posted by & filed under Ειδοποιήσεις.

Adobe has released security updates to address four critical vulnerabilities that could allow attackers to execute arbitrary code and write arbitrary files on Windows devices running vulnerable versions of Creative Cloud, Adobe Download Manager, and Adobe Media Encoder.

The rest of the total of 13 security flaws patched today security issues could lead to privilege escalation via Lack of Exploit Mitigations, insecure file permissions, DLL search-order hijacking, insecure library loading, and symlink vulnerabilities, and an out-of-bounds read that can enable attackers to gain access to information beyond their permissions.

These important severity vulnerabilities were found in Adobe ColdFusion and Adobe Genuine Service, and they affect both Windows and macOS devices running unpatched software versions.

Adobe advises users to update the vulnerable apps to the latest versions to block attacks attempting to exploit unpatched installations.

APSB20-49 Security Updates Available for Adobe Download Manager

Adobe has released a security update for Adobe Download Manager for Windows that fixes a command injection bug reported by Dhiraj Mishra that could lead to arbitrary code execution.

Windows users should install Adobe Download Manager 2.0.0.518 to fix this critical vulnerability.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Command Injection Arbitrary Code Execution Critical CVE-2020-9688

APSB20-43 Security updates available for Adobe ColdFusion

Adobe has published security updates for ColdFusion versions 2016 and 2018 to patch DLL search-order hijacking issues that could lead to privilege escalation.

Users should install ColdFusion 2016 Update 16 and ColdFusion 2018 Update 10 to fix these important severity flaws.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
DLL search-order hijacking Privilege escalation Important CVE-2020-9672

CVE-2020-9673

APSB20-42 Security Updates Available for Adobe Genuine Service

Adobe has issued updates for Adobe Genuine Service for Windows and macOS that fix insecure library loading and symbolic link mishandling bugs which could lead to privilege escalation in the context of the current user.

Users should install Adobe Genuine Service 7.1 to patch these security vulnerabilities.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Insecure library loading Privilege Escalation Important CVE-2020-9667

CVE-2020-9681

Mishandling symbolic links Privilege Escalation Important CVE-2020-9668

APSB20-36 Security Updates Available for Adobe Media Encoder

Adobe has released updates for Adobe Media Encoder to address two critical out-of-bounds write issues and an important severity out-of-bound read bug that might lead to arbitrary code execution and information disclosure in the context of the current user.

Windows and macOS users are advised to install Adobe Media Encoder 14.3 to fix these security issues.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Out-of-Bounds Read Information Disclosure Important CVE-2020-9649
Out-of-bounds Write Arbitrary Code Execution Critical CVE-2020-9650

CVE-2020-9646

APSB20-33 Security update available for Adobe Creative Cloud Desktop Application

Adobe has released an update Creative Cloud Desktop Application for Windows which fixes critical and important severity issues that could lead to privilege escalation and arbitrary file system write after successful exploitation.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Lack of Exploit Mitigations Privilege escalation Important CVE-2020-9669
Insecure File permissions Privilege escalation Important CVE-2020-9671
Symlink vulnerability Privilege escalation Important CVE-2020-9670
Symlink vulnerability Arbitrary file system write Critical CVE-2020-9682

 

Users are recommended to install Creative Cloud Desktop Application 5.2 to patch these security flaws.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.