Adobe’s Surprise Security Bulletin Dominated by Critical Patches

Out of 92 security vulnerabilities, 66 are rated critical in severity, mostly allowing code execution. The most severe can lead to information disclosure.

Adobe has dropped a mammoth out-of-band security update this week, addressing 92 vulnerabilities across 14 products.

The majority of the disclosed bugs are critical-severity problems, and most allow arbitrary code execution (ACE). Privilege escalation, denial-of-service and memory leaks/information disclosure are all well-represented, as well.

Adobe After Effects, Animate, Audition, Bridge, Character Animator, Illustrator, InDesign, Lightroom Classic, Media Encoder, Photoshop, Prelude, Premiere Pro, Premiere Elements and the XMP Toolkit SDK all received patches.

There’s plenty of commonality across the advisories. For instance, the lion’s share of the bugs allow access to a memory location after the end of a buffer, leading to ACE (a type of memory issue that can be exploited, like a standard buffer overflow in the worst-case scenario).

Also, almost all of the critical problems rate 7.8 on the CVSS vulnerability severity scale, except for one type. The advisory lists “NULL pointer dereference bugs causing memory leak” flaws as the most severe issues in the bunch, all rating 8.3 on the CVSS scale. These pop up in Bridge, Media Encoder, Prelude

Read More: