Adobe developers released unscheduled patches this week and fixed critical vulnerabilities in products such as Bridge, Illustrator, and Magento.
The company released three separate security bulletins and patches, eliminating a total of 35 vulnerabilities, 25 of which were considered critical. Exploiting the most serious problems from this list may lead to arbitrary code execution and information disclosure.Adobe Bridge fixed 14 critical bugs that were dangerous for versions 10.0.4 and below on computers running Windows and macOS.
Critical bugs include stack buffer overflows (CVE-2020-9555), a couple of heap buffer overflow problems (CVE-2020-9562 and CVE-2020-9563), an error related to corruption of information in memory (CVE-2020-9568 ), two use-after-free problems (CVE-2020-9566 and CVE-2020-9567) as well as eight vulnerabilities associated with out-of-bounds record (CVE-2020-9554, CVE-2020-9556, CVE-2020 -9559, CVE-2020-9560, CVE-2020-9561, CVE-2020-9564, CVE-2020-9565, CVE-2020-9569)”, – reported in Adobe.
If an attacker uses it, all these bugs can lead to the execution of arbitrary code in the context of the current user.
Adobe engineers also fixed issues CVE-2020-9553, CVE-2020-9557, and CVE-2020-9558, which received important status and were associated with out-of-bounds reading, which led to information disclosure.
Vulnerabilities in Adobe Illustrator 2020 extended to version 24.0.2 and earlier. In this case, it is worth noting the bugs CVE-2020-9570, CVE-2020-9571, CVE-2020-9572, CVE-2020-9573 and CVE-2020-9574, which are associated with corruption of information in memory, which could also be used for execution of arbitrary code.
Additionally, as mentioned above, Magento’s e-commerce platform received its own security bulletin.
Discovered and resolved vulnerabilities were dangerous for Magento Commerce and Open Source (2.3.4 and earlier), Magento Enterprise Edition (1.14.4.4 and earlier), and Magento Community Edition (1.9.4.4 and earlier) . Magento Commerce and Open Source 2.2.11 and earlier are also vulnerable to problems, but it should be noted that support for Magento 2.2x was discontinued in 2019”, – told Adobe specialists.
In total, Adobe fixed 13 vulnerabilities in Magento, half of which are considered critical. These include CVE-2020-9576, CVE-2020-9578, CVE-2020-9582 and CVE-2020-9583, which allow the injection of commands, as well as CVE-2020-9579, which allows bypassing of protective mechanisms. If used, each of these problems can lead to the execution of an arbitrary code.
Adobe thanked many independent researchers, as well as representatives of large companies such as the Trend Micro Zero Day Initiative and FortiGuard Labs for detecting vulnerabilities.
Let me remind you that a 0-day vulnerability was recently discovered in the Adobe Type Manager Library for Windows, however, for it were quickly released temporary patches.