Adobe says there's a critical flaw in its Photoshop Creative Cloud software for Windows and macOS that can be exploited by malicious files to hijack systems.
The unscheduled update fixes up critical memory corruption bugs discovered by Fortinet's Kushal Arvind Shah, both of which leave vulnerable systems open to remote code execution (RCE).
Opening a specially crafted file in a vulnerable Photoshop version will trigger the execute of code smuggled into the images. The RCE is “in the context of the current user." However, as general-purpose workstation software, Photoshop CC is likely to be installed on lots of machines where nobody's bothered to minimize user privileges.
The affected versions are Photoshop CC 2018 19.1.5 and earlier, and Photoshop CC 2017 18.1.5 and earlier, on Windows and macOS. The updated versions are Photoshop CC 2018 19.1.6 and Photoshop CC 2017 18.1.6. Make sure you run the usual software update routine to pick up the security fixes.
Full details are yet to be released for the two vulnerabilities, given the Common Vulnerabilities and Exposures assignments CVE-2018-12810 and CVE-2018-12811.
The two bugs weren't in this week's Patch Tuesday cycle, which covered Flash, Acrobat Reader, Experience Manager, and a separate privilege escalation flaw in Creative Cloud.
In spite of the “critical” rating, Adobe gave the patch a priority of the latest bugs as it's a bug “in a product that has historically not been a target for attackers.”
El Reg reckons “your discretion” would just as well be treated as “do it now.” ®