Adobe has emitted security patches for six of its most prominent software bundles, including Illustrator, After Effects, and Premier Pro.
For Illustrator, the fix cleans up five so-called critical CVE-listed security holes (CVE-2020-9642, CVE-2020-9575, CVE-2020-9641, CVE-2020-9640, CVE-2020-9639.) It's a mix of a buffer overrun and memory corruption issues that can be exploited, presumably, by maliciously crafted documents to achieve arbitrary code execution on macOS and Windows systems.
Open a booby-trapped file in a vulnerable version, and you could get spyware, ransomware, or some other nasty on your machine. And artists are always opening and importing materials for their work. All the bugs were found by researchers from Fortinet Fortiguard labs. Four came courtesy of Yonghui Han, and the fifth was spotted and reported by Kushal Arvind.
After Effects also received five critical security patches, all again paving the way for arbitrary code execution (CVE-2020-9661, CVE-2020-9660,CVE-2020-9662, CVE-2020-9637, CVE-2020-9638). A combination of out-of-bounds read and write bugs, and and heap overflows, left Windows and macOS users at risk. Researcher Honggang Ren of Fortinet's FortiGuard Labs claimed two of the bugs, while Trend ZDI man Mat Powell got the other three.
Those running Premiere Pro on Windows will want to get patched up for three critical out-of-bounds write and read bugs as well, (CVE-2020-9653, CVE-2020-9654, CVE-2020-9652), which can be exploited to achieve arbitrary code execution. Mat Powell supplied the details.
Do you use Adobe's marketing software Campaign Classic? So you're the one? It has its own update, addressing an out-of-bounds read bug can leak data (CVE-2020-9666, Nicolas Devillers from Lexfo credited).
Users and admins should test and apply the updates as soon as possible, Adobe advises. None of the bugs are being exploited in the wild, for now. ®