Top News

Adobe patches wave of critical bugs in Magento, Acrobat, Reader

Adobe has patched numerous critical vulnerabilities in a range of software including Magento, Acrobat, Reader, and Photoshop.

On Tuesday, the tech giant published security advisories for each product included in this month’s standard patch round. 

The first notice relates to Adobe Acrobat and Reader 2020, Acrobat and Reader DC, and the 2017 versions of both Acrobat and Reader on Windows and macOS machines. 

Adobe has resolved 23 vulnerabilities in these software packages, 17 of which are deemed critical and the rest, important. The security issues reported to Adobe include buffer and integer overflows, improper access controls, and use-after-free flaws that can be weaponized for arbitrary code execution, privilege escalation, denial-of-service crashes, and information leaks. 

Magento, an open source e-commerce platform, has also received a slew of security fixes. Specifically, Magento Commerce and Magento Open Source on all platforms are subject to a total of 18 bugs, varying in severity from critical to moderate. 

The worst vulnerabilities, including Insecure Direct Object Reference (IDOR) bugs, file upload list bypasses, security and access control bypasses, and blind SQL injections, can be used by attackers to perform code execution, to deploy JavaScript in a browser, and to access restricted resources. 

In total, five critical vulnerabilities have been reported in Adobe Photoshop on Windows and macOS. The bugs are described as out-of-bounds read/write and buffer overflow issues which can be exploited for the execution of malicious code.  

Two critical vulnerabilities, tracked as CVE-2021-21053 and CVE-2021-21054, are now patched in both Windows and macOS versions of Adobe Illustrator. If exploited, the out-of-bounds write bugs can trigger arbitrary code execution. 

Adobe Animate was also the subject of a critical out-of-bounds write flaw, CVE-2021-21052, which could also be weaponized to deploy arbitrary code.

A single fix has also been issued for Adobe Dreamweaver, website design software developed by the tech giant. CVE-2021-21055 is an uncontrolled search path element issue potentially leading to information leaks. 

Adobe thanked a number of independent researchers, Decathlon, the Trend Micro Zero Day Initiative, FortiGuard Labs, and participants of the Tianfu Cup 2020 International Cybersecurity Contest for reporting the security issues. 

In January, Adobe’s first scheduled security update of the year resolved bugs in seven products, including Photoshop, Illustrator, Bridge, and Campaign Classic. Heap buffer overflow vulnerabilities and out-of-bounds write flaws were among those patched. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Source : ZDNet

Previous ArticleNext Article
Send this to a friend