Adobe has issued an out-of-band update correcting 18 critical flaws in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, Campaign, and Audition. All 18 flaws allow remote execution of arbitrary code.
The updates were released on Tuesday June 16, 2020. Adobe says it is unaware of any public exploits for the vulnerabilities, but users of the above products are strongly advised to update to the latest version of the software as soon as possible.
Five of the flaws affect versions 17.1 and earlier of Adobe After Effects and have been corrected in version 17.1.1. There are two heap overflow flaws (CVE-2020-9637 and CVE-2020-9638), two out-of-bounds write vulnerabilities (CVE-2020-9660 and CVE-2020-9662), and one out-of-bound read vulnerability (CVE-2020-9661).
Five flaws have been fixed in version 24.2 of Adobe Illustrator. The flaws affect versions 24.1.2 and earlier versions of Illustrator 2020. There are four memory corruption vulnerabilities (CVE-2020-9575, CVE-2020-9639, CVE-2020-9640, and CVE-2020-9641) and one buffer error (CVE-2020-9642).
Adobe Premiere Rush version 1.5.16 corrects three vulnerabilities that are present in versions 1.5.12 and earlier. There are two out-of-bounds write bugs (CVE-2020-9656, CVE-2020-9657) and an out-of-bounds read vulnerability (CVE-2020-9655). Three flaws have been fixed in Premiere Pro version 14.3. These are out-of-bounds write vulnerabilities (CVE-2020-9653, CVE-2020-9654) and an out-of-bounds read vulnerability (CVE-2020-9652).
Two out-of-bounds write bugs have been fixed in Adobe Audition 13.0.7 (CVE-2020-9658, CVE-2020-9659) and one out-of-bounds read bug has been fixed in Adobe Classic campaign (CVE-2020-9666). Users should update to version 20.2.