Governance & Risk Management , Patch Management
Adobe Patches 8 Critical Vulnerabilities
If Exploited, Flaws Could Allow Arbitrary Code Execution, Privilege EscalationAdobe has released security updates to address eight vulnerabilities, which, if exploited, could enable an attacker to take control of an affected system.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
The vulnerabilities allow arbitrary code execution and privilege escalation in Adobe Creative Cloud Desktop, which is used to create and edit videos; Adobe FrameMaker, a document processor; and Adobe’s Connect software, which is used for remote web conferencing.
Chris Hauk, consumer privacy champion at privacy advocacy Pixel Privacy, advises users to "take advantage of Adobe's Creative Cloud app to enable auto-updating of all Adobe apps. This ensures that all Adobe apps are updated when new versions become available."
Adobe Creative Cloud Desktop
Adobe patched three flaws in Creative Cloud Desktop:
- CVE-2021-21068 allows arbitrary file overwrite, enabling a remote attacker to upload a malicious file and execute it on the server;
- CVE-2021-21078 is an OS command injection security vulnerability that enables arbitrary code execution;
- CVE-2021-21069 is an improper input validation issue, which can be exploited for privilege escalation.
Adobe recommends Creative Cloud Desktop Application users update immediately to the latest version 5.4 to mitigate the vulnerabilities.
Adobe FrameMaker Flaws
A flaw tracked as CVE-2021-21056 in Adobe FrameMaker, if exploited, allows for arbitrary code execution.
An attacker who can access the memory layout of a program can overwrite the executable codes and replace them with their own codes, which could lead to denial of service or achieve code execution.
Adobe says FrameMaker's 2019.0.8 version and below are affected by this flaw. The company credited Francis Provencher, a researcher at Trend Micro’s Zero Day Initiative, with finding the bug.
Adobe Connect
Adobe also patched several flaws in the Adobe Connect design tool.
The vulnerability, tracked as CVE-2021-21078, is an improper input validation that allows for arbitrary code execution.
Three other Adobe vulnerabilities that were patched are tracked as CVE-2021-21079, CVE-2021-21080 and CVE-2021-21081. These flaws, if exploited, could allow arbitrary JavaScript execution in the browser of a victim.
Other Adobe Issues
A recent study by Germany's Ruhr University Bochum found that hackers could manipulate certain digitally signed Adobe PDF documents to add malicious content. The researchers found 16 PDF apps vulnerable to such exploits (see: Researchers Show How Digitally Signed PDFs Can Be Manipulated)
Earlier this month, Adobe released patches for several other vulnerabilities in Adobe Reader, Adobe Acrobat, Magento, Photoshop, Animate, Illustrator and Dreamweaver.
In November, the company released patches for 14 vulnerabilities in Adobe Acrobat and Reader for Windows and macOS which, when exploited, could lead to remote code execution.
Urgency of Patching
Erich Kron, security awareness advocate at the security firm KnowBe4, says patching broadly deployed software should be a top priority.
"In this case, the Adobe suites of software being impacted are widely used, and the key vulnerabilities are remotely exploitable, so it should be high on the priority list of organizations using the software," he says. "Cybercriminals are likely to attempt to exploit flaws in widely used software as the payback on the effort to craft these attacks is likely to be higher because they can broadly target more potential victims."