Although its not a Patch Tuesday, Adobe has released some of the emergency security updates to its products like Adobe Bridge, Illustrator, and Magento. So its time for all the users of these applications to be heedful. The software giant has announced the release of patches to its products in order to patch multiple critical arbitrary code execution and information disclosure vulnerabilities.
This month’s release consists of 36 vulnerabilities addressed in 3 advisories: 28 vulnerabilities are rated critical, 5 vulnerabilities are rated important and 3 are rated moderate. These vulnerabilities are considered to be critical since the attackers can perform code execution remotely even in an unauthenticated state.
Adobe Illustrator:
A memory corruption vulnerability existing in Adobe Illustrator application can allow a remote attacker to execute arbitrary code on the victim’s system. An attacker can trick the victim to open a specially crafted file to exploit this vulnerability and can execute arbitrary code on the system using the privileges of the victim. Some sources say that this can even lead to a denial of service. Adobe Illustrator 2020 has fixed these vulnerabilities in version 24.1.2.
Adobe Bridge:
Multiple vulnerabilities are discovered in the Adobe Bridge application. The exploitation of these vulnerabilities can lead to arbitrary code execution or information disclosure. The attacker can gain the privileges of logged on user as a result of the critical vulnerabilities like Out-of-Bounds Write, Heap Overflow, Memory Corruption, Use After Free, or Stack-based Buffer Overflow. The severity of the attack depends on the logged-on user rights since the same privileges will be used to perform various actions like installing a program, view, or delete data in the system. Adobe Bridge has fixed these vulnerabilities in version 10.0.4.
Magento:
It is evident that Magento encounters 6 critical, 4 important, and 3 important vulnerabilities that allow attackers to execute arbitrary code or disclose sensitive information. Vulnerabilities like Command injection, Stored cross-site scripting, Security mitigation bypass, Defense-in-depth security mitigation, Authorization bypass, and Observable Timing Discrepancy will be exploited by the attacker some of which don’t even require authentication. Magento has fixed these vulnerabilities in Magento Commerce and Magento Open Source 2.3.4-p2 and 2.3.5-p1, Magento Enterprise Edition 1.14.4.5, and Magento Community Edition 1.9.4.5.
Adobe Security Bulletin Summary for April 2020:
Product: Adobe Illustrator 2020
CVE’s/Advisory: APSB20-20, CVE-2020-9570, CVE-2020-9571, CVE-2020-9572, CVE-2020-9573, CVE-2020-9574
Severity: Critical
Impact: Arbitrary Code Execution
Platforms: Windows
Product: Adobe Bridge
CVE’s/Advisory: APSB20-19, CVE-2020-9555, CVE-2020-9562, CVE-2020-9563, CVE-2020-9568, CVE-2020-9553, CVE-2020-9557, CVE-2020-9558, CVE-2020-9554, CVE-2020-9556, CVE-2020-9559, CVE-2020-9560, CVE-2020-9561, CVE-2020-9564, CVE-2020-9565, CVE-2020-9569, CVE-2020-9566, CVE-2020-9567
Severity: Critical
Impact: Arbitrary Code Execution, Information Disclosure
Platforms: Windows
Product: Magento Commerce, Magento Open Source, Magento Enterprise Edition, Magento Community Edition
CVE’s/Advisory: APSB20-22, CVE-2020-9576, CVE-2020-9577, CVE-2020-9578 , CVE-2020-9579, CVE-2020-9580, CVE-2020-9581, CVE-2020-9582, CVE-2020-9583, CVE-2020-9584, CVE-2020-9585, CVE-2020-9587, CVE-2020-9588, CVE-2020-9591
Severity: Critical
Impact: Arbitrary Code Execution, Information Disclosure
Platforms: All
SanerNow security content has been published to detect this vulnerability. We strongly recommend updating these Adobe products with the latest versions.