Adobe has released fixes for several remote code execution holes in Illustrator and its Bridge code.
Those who rely on Adobe Illustrator version 24.0.2 for Windows, or earlier versions, will want to make sure that they install APSB20-20, the latest set of security fixes for the drawing tool.
“This update addresses critical vulnerabilities that could lead to the execution of arbitrary code in the context of the current user,” said Adobe of the patch.
The update fixes five security vulnerabilities listed by CVE, all of which are considered to be critical risks. The bugs, each described as memory corruption errors, would allow remote code execution on a vulnerable machine.
In each case, the victim should open a maliciously crafted Illustrator document, most likely as an email attachment or download, to trigger the exploitation. So far, there have been no reports of active attacks in the wild, although now that the fixes have been released, there is a better chance that they will be reverse engineered and targeted.
Kushal Arvind Shah, of Fortiguard Labs, was awarded the credit for discovering and reporting the programming errors, designated CVE-2020-9570 to CVE-2020-9574.
Although Illustrator patches are the most important patches, due to the size of the user base, those running Adobe Bridge (a file management tool described as “Media Asset Management”) will also want to search APSB 20-19, an update that fixes 17 vulnerabilities listed by CVE.
Adobe launches disk cleaning tool cleverly disguised as an arbitrary file deletion bug in Creative Cloud on Windows
Users will be able to obtain Bridge patches by updating their copies of Creative Cloud on Windows and macOS machines.
These defects range from buffer and heap overflow errors to memory corruption bugs, out of range read and write errors, and post-release use vulnerabilities. Fourteen of the 17 flaws can be exploited to perform remote code execution. The other three would lead to the disclosure of information.
Adobe considers the fixes to be critical, so users and administrators would be well-advised to test and install the updates as soon as possible.
Mat Powell of Trend Micro's Zero Day Initiative got credit for finding the lion's share of the bugs – 15 of the 17 were found and reported to Adobe by Powell. The other two were credited to Francis Provencher, also from the Zero Day Initiative, and to an anonymous body that reported the flaws via ZDI.
Users and administrators should have enough time to test and install Adobe patches, at least for planning. We have a good two weeks before the next edition of Patch Tuesday falls, so unless there is a serious security bug that warrants an out of band fix, we are not due for updates from Microsoft, Adobe, Intel or SAP soon. ®
Office 365 client-to-client migration tips