Adobe Puts Out Dozens of Patches

Adobe has released dozens of patches this week, addressing 42 separate CVEs in its regularly scheduled February updates, with 35 of the flaws rated as Critical severity.

The full release includes a total of five of Adobe’s widely-used software:

• Adobe Acrobat and Reader
• Adobe Digital Edition
• Adobe Experience Manager
• Adobe Flash Player
• Adobe Framemaker

“This update addresses multiple critical vulnerabilities,” Adobe stated in its security bulletin. “Successful exploitation could lead to arbitrary code execution in the context of the current user.”

Fixing Framemaker

The majority of the fixes (21) impact Adobe Framemaker, a document processor designed for writing and editing large or complex documents, according to a security advisory published on Tuesday.

The Framemaker flaws include buffer errors, heap overflow problems, out-of-bounds write, and memory corruption issues; any of which can lead to the execution of arbitrary code. Adobe Framemaker versions 2019.0.4 and below (for Windows) are affected and thus a patch has been published for version 2019.0.5.

Exploring the Vulnerabilities

Adobe Acrobat and Reader for Windows and macOS also contain 12 similar code execution vulnerabilities. These vulnerabilities include heap overflow, buffer errors, use-after-free flaws, and privilege escalation bugs.

Just like with Framemaker bugs, if exploited, these can lead to arbitrary code execution and file system writes. Adobe also remediated 3 important out-of-bounds read issues leading to information disclosure and 2 moderate stack exhaustion vulnerabilities that could be easily exploited to cause memory leaks.

The latest update for Adobe Flash Player, potentially one of the most infamous applications in terms of having a horrible security record, has a critical arbitrary code execution flaw. If exploited, the flaw could allow hackers to compromise targeted Windows, macOS, Linux, and Chrome OS-based devices.

Adobe’s Digital Edition, an eBook reader application, also has a critical and an important flaw in versions 4.5.10 and below. The critical flaw stems from a command-injection glitch (CVE-2020-3760) allowing potential arbitrary code execution. Command-injection attacks are possible when an application passes unsafe user supplied data (such as forms or HTTP headers) to a system shell.

Last, but possibly least, Adobe Experience Manager, Adobe’s content management solution, has an important-level uncontrolled resource consumption vulnerability (CVE-2020-3741) that could result in a denial-of-service condition.

Patching the Problems

Though none of the software vulnerabilities resolved this month were publicly disclosed or appear to have been exploited in the wild, all of the products mentioned above should be patched as soon as possible.

For a “one-stop-shop” with vulnerability scanning, patch management and endpoint detection and response in one package, look no further than Syxsense Secure. Available as a standalone software product or alongside 24/7 managed services from our dedicated, experienced team.

The similarly comprehensive Syxsense Manage solution offers additional endpoint, OS and patch management, oversight to complete the picture of meticulous and wide-ranging threat management.

Begin your organization’s journey toward airtight endpoint security with a free trial of Syxsense’s products and services.