Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop - 3 minutes read




The security bugs could open the door for arbitrary code-execution and full takeover of targeted machines.

Adobe has released security patches tackling four critical vulnerabilities in Adobe Bridge, along with other critical and important-rated updates for bugs in Adobe Digital Editions, Adobe Photoshop and RoboHelp.

In all, Adobe fixed 10 security holes in its products during its scheduled April updates, seven of them listed as critical.

None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.

“This month, Adobe had four updates for Photoshop, Digital Editions, Bridge, and Robohelp and all rated as Priority 3,” Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. “The reasoning behind Adobe’s prioritization is because this update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”

Goettl noted that this is an aspect of vendor severity ratings that many don’t take into account – if applications are less likely to be targeted by threat actors, Adobe sets the severity of the vulnerability lower, regardless of how severe of a bug it may be. Thus, patching priority should be determined on an organization-by-organization basis.

“While historical evidence reflects Adobe’s assessment accurately, it does not remove all risk,” he noted. “Photoshop has had as many as nine exploited CVEs over the years, the most recent being the CVEs in 2015. Of these four updates, Photoshop is the riskiest.”

Adobe Bridge is a creative-asset manager that helps users preview, organize, edit and publish multiple creative assets in a streamlined way. It contains the four critical bugs as well as two “important” vulnerabilities:

“Arbitrary code execution, or ACE, vulnerabilities provide an adversary a platform to quickly execute additional code or applications on a target system, opening the door to lateral movement or quick exfiltration of system data,” Jay Goodman, manager of product marketing at Automox, said via email.

Adobe also addressed two critical vulnerabilities in Photoshop, its popular photo-editing software (CVE-2021-28548 and CVE-2021-28549). Both are buffer-overflow bugs that allow arbitrary code execution.

The company also patched a final critical vulnerability in Adobe Digital Editions, CVE-2021-21100, which is a privilege-escalation problem allowing an arbitrary file-system write. Digital Editions is Adobe’s e-Book reader software used for acquiring, managing and reading e-books, digital newspapers and other digital publications.

“This vulnerability allows an attacker to force the target application to overwrite any file on a system as a privileged user,” Goodman said. “This can allow an attacker to take a system offline by overwriting critical system files.”

And finally, Adobe patched one important-rated vulnerability in RoboHelp, which is a platform for authoring technical articles and how-tos. The bug, tracked as CVE-2021-21070, is an uncontrolled search path element that could allow privilege escalation.

Users can enable auto-updates for the bugs by going to Help > Check for Updates.

“These vulnerabilities should be patched within the 72-hour window to ensure attackers do not have the time to weaponize them against your organization,” Goodman noted.

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.

Source: Threatpost

Powered by NewsAPI.org