Cyber Daily Report

News

Home News

Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop

  • Tara Seals--threatpost.com
  • published date: 2021-04-13 12:40:00 UTC

The security bugs could open the door for arbitrary code-execution and full takeover of targeted machines.

<div class="c-article__content js-reading-content"> <p>Adobe has released security patches tackling four critical vulnerabilities in Adobe Bridge, along with other critical and important-rated updates for bugs in Adobe Digital Editions, Adobe Photoshop and RoboHelp.</p> <p>In all, Adobe fixed 10 security holes in its products during its scheduled April updates, seven of them listed as critical.</p> <p><a href="https://threatpost.com/newsletter-sign/"><img loading="lazy" class="aligncenter wp-image-141989 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt="" width="700" height="50"></a></p> <p>None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.</p> <p>“This month, Adobe had four updates for Photoshop, Digital Editions, Bridge, and Robohelp and all rated as Priority 3,” Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. “The reasoning behind Adobe’s prioritization is because this update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”</p> <p>Goettl noted that this is an aspect of vendor severity ratings that many don’t take into account – if applications are less likely to be targeted by threat actors, Adobe sets the severity of the vulnerability lower, regardless of how severe of a bug it may be. Thus, patching priority should be determined on an organization-by-organization basis.</p> <p>“While historical evidence reflects Adobe’s assessment accurately, it does not remove all risk,” he noted. “Photoshop has had as many as nine exploited CVEs over the years, the most recent being the CVEs in 2015. Of these four updates, Photoshop is the riskiest.”</p> <h2>Adobe Bridge Security Vulnerabilities</h2> <p>Adobe Bridge is a creative-asset manager that helps users preview, organize, edit and publish multiple creative assets in a streamlined way. It contains the four critical bugs as well as two “important” <a href="https://helpx.adobe.com/security/products/bridge/apsb21-23.html" target="_blank" rel="noopener">vulnerabilities</a>:</p> <ul> <li>CVE-2021-21093 and CVE-2021-21092 are critical memory-corruption issues leading to arbitrary code execution;</li> <li>CVE-2021-21094 and CVE-2021-21095 are critical out-of-bounds write bugs also leading to arbitrary code execution;</li> <li>CVE-2021-21091 is an important out-of-bounds read issue that could lead to information disclosure;</li> <li>And CVE-2021-21096 stems from improper authorization and allows privilege escalation.</li> </ul> <p>“Arbitrary code execution, or ACE, vulnerabilities provide an adversary a platform to quickly execute additional code or applications on a target system, opening the door to lateral movement or quick exfiltration of system data,” Jay Goodman, manager of product marketing at Automox, said via email.</p> <div id="attachment_165368" style="width: 880px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-165368" loading="lazy" class="size-full wp-image-165368" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/13121050/Bridge-April.png" alt="" width="870" height="203"><p id="caption-attachment-165368" class="wp-caption-text">The fully patched versions. Source: Adobe</p></div> <h2><strong>Other Adobe Patches for April </strong></h2> <p>Adobe also addressed two <a href="https://helpx.adobe.com/security/products/photoshop/apsb21-28.html" target="_blank" rel="noopener">critical vulnerabilities</a> in Photoshop, its popular photo-editing software (CVE-2021-28548 and CVE-2021-28549). Both are buffer-overflow bugs that allow arbitrary code execution.</p> <div id="attachment_165367" style="width: 1034px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-165367" loading="lazy" class="wp-image-165367 size-large" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/13120907/Photoshop-April-1024x173.png" alt="" width="1024" height="173"><p id="caption-attachment-165367" class="wp-caption-text">The fully patched versions. Source: Adobe</p></div> <p>The company also patched a final <a href="https://helpx.adobe.com/security/products/Digital-Editions/apsb21-26.html" target="_blank" rel="noopener">critical vulnerability</a> in Adobe Digital Editions, CVE-2021-21100, which is a privilege-escalation problem allowing an arbitrary file-system write. Digital Editions is Adobe’s e-Book reader software used for acquiring, managing and reading e-books, digital newspapers and other digital publications.</p> <p>“This vulnerability allows an attacker to force the target application to overwrite any file on a system as a privileged user,” Goodman said. “This can allow an attacker to take a system offline by overwriting critical system files.”</p> <div id="attachment_165369" style="width: 891px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-165369" loading="lazy" class="size-full wp-image-165369" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/13121549/DigitalEditions-April.png" alt="" width="881" height="145"><p id="caption-attachment-165369" class="wp-caption-text">The fully patched version. Source: Adobe</p></div> <p>And finally, Adobe patched one important-rated vulnerability in RoboHelp, which is a platform for authoring technical articles and how-tos. The bug, tracked as CVE-2021-21070, is an uncontrolled search path element that could allow privilege escalation.</p> <div id="attachment_165370" style="width: 814px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-165370" loading="lazy" class="size-full wp-image-165370" src="https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/13121957/RoboHelp-April.png" alt="" width="804" height="169"><p id="caption-attachment-165370" class="wp-caption-text">The fully patched version. Source: Adobe</p></div> <p>Users can enable auto-updates for the bugs by going to Help &gt; Check for Updates.</p> <p>“These vulnerabilities should be patched within the 72-hour window to ensure attackers do not have the time to weaponize them against your organization,” Goodman noted.</p> <p><strong><em>Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a </em></strong><strong><em><a href="https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=April_webinar" target="_blank" rel="noopener">FREE Threatpost event</a></em></strong><strong><em>, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. </em></strong><strong><em><a href="https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=April_webinar" target="_blank" rel="noopener">Register here</a></em></strong><strong><em> for the Wed., April 21 LIVE event. </em></strong></p> <p> </p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Adobe Patches Slew of Critical Security Bugs in Bridge, Photoshop" data-url="https://threatpost.com/adobe-patches-critical-security-holes-bridge-photoshop/165371/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/vulnerabilities/">Vulnerabilities</a></li> </ul> </div> </div> </footer> </div>

Most Popular

MixMode Raises $45 Million in Series B Funding Round Led by PSG to Automate Cyberattack Detection

  • None -- Security Boulevard
  • Published date: 2022-03-23 14:16:00 UTC

Ukraine War Alters Security Landscape for Orgs, ERM Leaders

  • None -- Security Boulevard
  • Published date: 2022-03-23 12:46:00 UTC

IoT is magic for building automation systems. But what about security?

  • Shaun Cooley -- Securitymagazine.com
  • Published date: 2022-03-23 04:00:00 UTC

A Closer Look at the LAPSUS$ Data Extortion Group

  • None -- securityboulevard.com
  • Published date: 2022-03-23 00:00:00 UTC

What is CWPP? (Cloud Workload Protection Platform)

  • None -- securityboulevard.com
  • Published date: 2022-03-23 00:00:00 UTC