Nov 2, 2021
94 Views
0 0

Adobe’s Surprise Security Bulletin Dominated by Critical Patches

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Out of 92 security vulnerabilities, 66 are rated critical in severity, mostly allowing code execution. The most severe can lead to information disclosure.
Adobe has dropped a mammoth out-of-band security update this week, addressing 92 vulnerabilities across 14 products.
The majority of the disclosed bugs are critical-severity problems, and most allow arbitrary code execution (ACE). Privilege escalation, denial-of-service and memory leaks/information disclosure are all well-represented, as well.
Adobe After Effects, Animate, Audition, Bridge, Character Animator, Illustrator, InDesign, Lightroom Classic, Media Encoder, Photoshop, Prelude, Premiere Pro, Premiere Elements and the XMP Toolkit SDK all received patches.

There’s plenty of commonality across the advisories. For instance, the lion’s share of the bugs allow access to a memory location after the end of a buffer, leading to ACE (a type of memory issue that can be exploited, like a standard buffer overflow in the worst-case scenario).
Also, almost all of the critical problems rate 7.8 on the CVSS vulnerability severity scale, except for one type. The advisory lists “NULL pointer dereference bugs causing memory leak” flaws as the most severe issues in the bunch, all rating 8.3 on the CVSS scale. These pop up in Bridge, Media Encoder, Prelude and Premiere Elements (and are italicized, below).
Here’s the full breakdown of the critical bugs:
After Effects:
Animate:
Audition:
Bridge:
Character Animator:
Illustrator:
InDesign:
Lightroom Classic:
Media Encoder:
Photoshop:
Prelude:
Premiere Elements:
Premiere Pro:
XMP Toolkit SDK:
This bulletin was prompted by findings from two teams that deserve busy-beaver awards: Adobe variously credited researchers from TopSec Alpha Team and Trend Micro’s Zero-Day Initiative (ZDI) for most of the bugs, except for CVE-2021-40746 in Illustrator, credited to “Tmgr.” This could also explain some of the commonalities in the bulletins.
“Of the patches released by Adobe, nine of these came through the ZDI program,” Dustin Childs of ZDI told Threatpost. “Most of these are simple file-parsing bugs, but there are a couple of critical-rated out-of-bounds (OOB) write bugs as well. For these, the vulnerability results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage these bugs to execute code in the context of the current process.”
The fixes come two weeks after Adobe released its normal monthly Patch Tuesday patches. A company spokesperson characterized the release as “planned” rather than an emergency response – and indeed, Adobe said in its advisories that there’s no evidence that any of the bugs are being exploited in the wild.
“While we strive to release regularly scheduled updates on Patch Tuesday, occasionally these regularly scheduled security updates are released on non-Patch Tuesday dates,” a company spokesperson told the Register.
Of note: The advisory for Bridge is listed as priority 2 for patching, which in Adobe parlance means that the product has historically been at elevated risk for exploitation, so it comes with a recommendation that administrators patch within 30 days. The other advisories are priority 3, which is the lowest risk level, meaning that administrators can patch “at their discretion.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Apiiro Sponsored Content



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
An attack on the fuel distribution chain in #Iran forced the shutdown of a network of filling stations, leaving mot… https://t.co/pWDaUaFUQ2
5 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.