Adobe Systems has addressed 17 critical vulnerabilities in Acrobat Reader, Photoshop and Brackets, which could lead to arbitrary code execution if exploited. As part of its regularly scheduled updates, Adobe released patched addressing 25 CVEs across various products, including its Acrobat Reader PDF viewer; Photoshop editing tool; ColdFusion 2018 commercial rapid web-application development platform; and Brackets, its source-code editor primarily focused on web development. No exploits for these vulnerabilities have been detected in the wild thus far, said Adobe.
In Adobe Acrobat and Reader, Adobe fixed 14 critical arbitrary code execution flaws, including out-of-bounds write glitches (CVE-2019-16450, CVE-2019-16454), use after free flaws (CVE-2019-16445, CVE-2019-16448, CVE-2019-16452, CVE-2019-16459, CVE-2019-16464), untrusted pointer dereference vulnerability (CVE-2019-16446, CVE-2019-16455, CVE-2019-16460, CVE-2019-16463), a heap overflow (CVE-2019-16451), buffer error (CVE-2019-16462) and a security bypass (CVE-2019-16453).
Adobe also fixed seven “important”-rated flaws in Acrobat Reader. Users are encouraged to update to Acrobat DC and Acrobat Reader DC Continuous versions 2019.021.20058 (for Windows and MacOS); Acrobat and Acrobat Reader Classic 2017 version 2017.011.30156 (for Windows and MacOS) and Acrobat and Acrobat Reader Classic 2015 version 2015.006.30508 (for Windows and MacOS).
The update is a Priority 2, which according to Adobe “resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”
Critical flaws were also reported in Adobe Photoshop CC versions 20.0.7 and earlier (an update is available in 20.0.8) and 21.0.1 and earlier (an update is available in 21.0.2) for Windows and MacOS. The two critical flaws (CVE-2019-8253 and CVE-2019-8254) are memory corruption glitches that could lead to arbitrary code execution.
A final critical vulnerability was disclosed in versions 1.14 and earlier of Brackets for Windows, Linux and MacOS (users are encouraged to update to version 1.14.1). The flaw (CVE-2019-8255) is a command infection vulnerability that could enable arbitrary code execution. Tavis Ormandy of Google Project Zero was credited with discovering the flaw.
Adobe also reported an important flaw (CVE-2019-8256) in ColdFusion Update 6 and earlier versions, stemming from insecure inherited permissions of the default installation directory, that could enable privilege escalation. A fix is available in Update 7.
Overall, Adobe issued more critical patches in December than it did in November, when it warned Illustrator 2019 users that two critical memory-corruption vulnerabilities could allow for an attacker to remotely connect to a Windows machine, execute code and gain control of the targeted system.
Users are advised to watch out for the vulnerabilities and apply updates accordingly.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street