Adobe has issued an out of band update to correct 12 critical vulnerabilities in Adobe Photoshop, Adobe Prelude, and Adobe Bridge, and an information disclosure vulnerability in Adobe Reader Mobile for Android. The critical flaws could all lead to remote code execution on Windows machines in the context of the current user.
The impact of the flaws will be limited for standard Windows users, although exploits for the vulnerabilities could be chained with exploits for other vulnerabilities to elevate privileges to admin. Adobe is unaware of exploitation of the flaws in the wild, but users have been advised to patch the vulnerabilities as soon as possible.
The flaws were identified by Mat Powell of Trend Micro’s Zero Day Initiative who reported them to Adobe. The patched have been released two weeks after Adobe’s last round of security updates on July Patch Tuesday.
The latest critical vulnerabilities are a mixture of out-of-bounds read and out-of-bounds write vulnerabilities and could result in a system crash, data corruption, or code execution.
Five of the vulnerabilities are in Adobe Photoshop and all could lead to code execution. The out-of-bounds read vulnerabilities have been assigned CVE-2020-9683 and CVE-2020-9686, and the out-of-bounds write vulnerabilities have been assigned CVE-2020-9684, CVE-2020-9685, and CVE-2020-9687. The flaws have been fixed in Photoshop CC 2019 version 20.0.10 and Photoshop CC 2020 version 21.2.1.
There is one out-of-bounds read vulnerability in Adobe Bridge – CVE-2020-9675 – and two out-of-bounds write vulnerabilities – CVE-2020-9674 and CVE-2020-9676. The flaws have been corrected in Bridge version 10.1.1.
Adobe Prelude has two out-of-bounds write vulnerabilities – CVE-2020-9678 and CVE-2020-9680 – and two out-of-bounds read vulnerabilities – CVE-2020-9677 and CVE-2020-9679. The flaws have been corrected in Prelude version 9.0.1.
A patch has also been released for an information disclosure bug in Adobe Reader Mobile – CVE-2020-9663 – which has been rated important.