Adobe has recently rolled out critical software updates addressing a total of 13 security vulnerabilities across five of its widely used applications. Among these vulnerabilities, four have been classified as critical, while the remaining nine are of significant concern, particularly for users operating the affected software.
The products that received these urgent security patches include the Adobe Creative Cloud Desktop Application, Adobe Media Encoder, Adobe Genuine Service, Adobe ColdFusion, and Adobe Download Manager. This broad yet targeted update underlines the pressing need for businesses to stay current with their software versions to mitigate potential threats.
Specifically, versions 5.1 and earlier of the Adobe Creative Cloud Desktop Application for Windows are vulnerable to four significant flaws, the most alarming being a critical symlink vulnerability (CVE-2020-9682). This flaw can enable attackers to execute arbitrary file system writes, posing significant risks to data integrity and security. According to Adobe’s advisory, the other three important vulnerabilities pertain to privilege escalation, which may allow unauthorized users to gain elevated access rights within the application.
Adobe Media Encoder is also affected, with two critical vulnerabilities related to arbitrary code execution (CVE-2020-9650 and CVE-2020-9646) and one significant information disclosure issue. These vulnerabilities impact users on both Windows and macOS platforms running version 14.2 or earlier, highlighting the cross-platform nature of the risks involved.
The Adobe Genuine Service, a utility designed to prevent the use of non-genuine software, has three critical privilege escalation vulnerabilities that can potentially put both Windows and macOS users at risk. The implications of these vulnerabilities could significantly undermine the integrity of business operations relying on Adobe’s suite of tools.
Adobe’s web-application development platform, ColdFusion, is facing two critical privilege escalation vulnerabilities. These flaws can be exploited through a DLL search-order hijacking technique, which emphasizes the need for ongoing vigilance in managing security within web applications.
Additionally, the Adobe Download Manager has a critical flaw (CVE-2020-9688), enabling arbitrary code execution via command injection. This vulnerability affects version 2.0.0.518 for Windows, underscoring the critical nature of regularly updating software applications to the latest versions—version 2.0.0.529 has been released to address this issue.
Importantly, none of the vulnerabilities addressed in this latest update have been publicly disclosed or reported as actively exploited. Nevertheless, the urgency for businesses to implement these patches cannot be overstated. Many of the vulnerabilities have been assigned a priority rating of 2, suggesting that similar exploits have previously been observed, emphasizing the critical nature of timely updates.
For business owners, understanding the potential tactics and techniques that could be employed in such attacks is essential for cybersecurity posture. Techniques such as initial access through compromised applications and privilege escalation to gain unauthorized access can significantly affect organizational security. The MITRE ATT&CK framework can provide insights into these adversary tactics, helping organizations remain vigilant against emerging threats.
As cyber risks continue to evolve, staying ahead through proactive software management and security practices will be integral to safeguarding sensitive information and maintaining business continuity.