Adobe Releases Out-of-Band Patches for 29 Critical Vulnerabilities

Adobe usually releases its software updates on Patch Tuesday, the second Tuesday of the month, but no patches were released on March 10, but the round of updates has come a week later, with fixes issued for 41 vulnerabilities across 6 of its products. 29 critical flaws have been addressed and the remaining 11 patches address vulnerabilities that have been rated important.

The six affected products are Adobe Genuine Integrity Service, Adobe Acrobat and Reader, Adobe Photoshop, Adobe Experience Manager, Adobe ColdFusion, and Adobe Bridge. Adobe Photoshop is the worst affected with 22 vulnerabilities, 16 of which are critical, followed by Adobe Acrobat and Reader with 13 vulnerabilities, 9 of which are critical.

The 16 critical vulnerabilities in Photoshop are a combination of memory corruption flaws (CVE-2020-3784, CVE-2020-3785, CVE-2020-3786, CVE-2020-3787, CVE-2020-3788, CVE-2020-3789, CVE-2020-3790), out of bounds write flaws (CVE-2020-3773, CVE-2020-3779), buffer errors (CVE-2020-3770, CVE-2020-3772, CVE-2020-3774, CVE-2020-3775, CVE-2020-3776, CVE-2020-3780), and one heap corruption flaw (CVE-2020-3783). Exploitation of all of these vulnerabilities could lead to remote code execution in the context of the current user on vulnerable machines. The 6 important vulnerabilities could result in information disclosure.

The 9 critical vulnerabilities affecting Acrobat and reader are vulnerabilities in use-after-free flaws (CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805), with one out-of-bounds write flaw (CVE-2020-3795), a stack based buffer overflow (CVE-2020-3799), a buffer overflow (CVE-2020-3807) and a memory corruption flaw. (CVE-2020-3797).

Two critical RCE vulnerabilities have been patched in Adobe Bridge, an out-of-bounds write vulnerability (CVE-2020-9551) and a heap-based buffer overflow flaw (CVE-2020-9552).

The only non-RCE flaw is a critical information disclosure vulnerability in ColdFusion that could allow an attacker to read arbitrary files from the install directory (CVE-2020-3761). ColdFusion is also affected by an RCE file inclusion flaw (CVE-2020-3794).

As of March 18, 2020, when the patches were released, none had been publicly disclosed or exploited in the wild; however, it is only a matter of time before attempts are made to exploit the flaws so prompt patching is strongly advised.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of