Morioh
Login
Brain Crist

Brain Crist

3 years ago

The software giant released patches for four critical vulnerabilities and five different platforms.

Adobe has released its scheduled July 2020 security updates, covering flaws in five different product areas: Creative Cloud Desktop; Media Encoder; Download Manager; Genuine Service; and ColdFusion.

Four of the bugs are rated critical in severity, with the others ranked as important. Most of the important flaws involve privilege escalation, with the critical bugs opening the door to more dangerous attacks.

“Updates to both Adobe Download Manager and Media Encoder address critical vulnerabilities (CVE-2020-9688, 9646, and 9650) that could lead to arbitrary code execution,” Justin Knapp, product marketing manager at Automox, told Threatpost. “The fourth critical vulnerability (CVE-2020-9682) impacts Creative Cloud Desktop, and if exploited, could allow an attacker to create or modify files.”

Creative Cloud Desktop

Adobe has released patches for four different flaws in its Creative Cloud Desktop Application for Windows, including a critical flaw allowing arbitrary file system writes.

Creative Cloud is a suite of apps and services for creating and processing video, design, photography and web art. Affected versions of the product include Creative Cloud Desktop Application 5.1 and earlier, Adobe noted in its scheduled monthly security update on Tuesday.

The critical flaw is a symbolic link (symlink) vulnerability (CVE-2020-9682) that could allow an attacker with a successful exploit to create or modify a file in a location they could not normally access. Symlinks are shortcuts to other files.

“While this is a critical vulnerability, Adobe has ranked it a 2, which means these systems could be at an increased risk based on past history, then again for this particular vulnerability there are no current known exploits,” said Jimmy Graham, senior director of product management, after reviewing the advisory.

The patches also address three important-rated security bugs, all of which could lead to privilege escalation in the context of the current user. The bug tracked as CVE-2020-9669 is caused due to a lack of exploit mitigations; CVE-2020-9671 is caused via insecure file permissions; and CVE-2020-9670 is another, less severe symlink vulnerability.

Acknowledgements for finding the flaws went to Xavier Danest of Decathlon (CVE-2020-9671); and Zhongcheng Li of Topsec Alpha Team (CVE-2020-9669, CVE-2020-9670 and CVE-2020-9682).

Media Encoder

Adobe also released an update for Adobe Media Encoder for Windows, 14.2 and earlier versions. Media Encoder is part of Adobe’s video-editing suite and is responsible for converting video files to the proper format to ensure they play well on different kinds of devices.

The advisory addresses two critical out-of-bounds write bugs (CVE-2020-9650 and CVE-2020-9646) that could lead to arbitrary code execution; and an important out-of-bound read (CVE-2020-9649) that could allow information disclosure in the context of the current user.

“On its own, arbitrary code-execution exploits are limited in scope to the privilege of the affected process, but when combined with privilege escalation vulnerabilities it can allow an attacker to quickly escalate a process’s privileges and execute code on the target system giving the attacker full control over the device,” Knapp said.

Adobe credited the Trend Micro Zero Day Initiative for reporting the issues.

Download Manager

Also among the security fixes is a patch for a critical vulnerability that could lead to arbitrary code-execution in Adobe Download Manager for Windows. The bug (CVE-2020-9688) affects version 2.0.0.518 of the platform.

The issue allows for command injection if exploited, which could ultimately open the door to arbitrary code-execution.

Security researcher Dhiraj Mishra (@RandomDhiraj) reported the issue.

Genuine Service

The Adobe Genuine Service for Windows and macOS meanwhile, which periodically validates already-installed Adobe software to root out incorrect and invalid licenses, and pirated software, has three important vulnerabilities.

These could all lead to privilege escalation in the context of the current user. They include two insecure library loading bugs (CVE-2020-9667 and CVE-2020-9681); and one is a result of the mishandling of symlinks (CVE-2020-9668)

They affect Genuine Service versions 6.6 and earlier versions, according to Adobe’s update.

Adobe credited Adrian Denkiewicz from CQURE (CVE-2020-9667) and Topsec Alpha Team’s Li (CVE-2020-9668, CVE-2020-9681) for the finds.

#cloud security #vulnerabilities #web security #adobe #bugs #code execution #coldfusion #creative cloud #critical vulnerabilities #download manager #genuine service #media encoder #patches #privilege escalation #security updates

Adobe Discloses Critical Code-Execution Bugs in July Update

threatpost.com

Adobe Discloses Critical Code-Execution Bugs in July Update

The software giant released patches for four critical vulnerabilities and five different platforms.

1.35 GEEK