Just one week after issuing its last batch of patches, Adobe Systems has issued additional security updates fixing 13 vulnerabilities, 12 of them critical out-of-bounds read or write flaws that can lead to arbitrary code execution in either Prelude, Photoshop or Bridge.
One additional bug of “important” severity was all located in Mobile Reader, for all Android versions.
Adobe has credited Mat Powell of TrendMicro’s Zero Day Initiative with discovering the critical vulnerabilities. SC Media reached out to TrendMicro and received additional details from Dustin Childs, communications manager at ZDI.
“These bugs are file parsing bugs that could lead to code execution if an attacker can convince someone to open a malicious file or browse to a specially crafted website,” said Childs. “Of the ones patched today, the bugs for Photoshop are probably more critical simply because it has a broader user base than the other affected products.”
Childs said that the file format types impacted by today’s patches are MOV, MP4, and 3GP. “You should always use caution when opening these types of files, especially if they come from an unknown source,” he noted.
Prelude is repaired with the release of version 9.0.1, Photoshop is amended with versions 20.0.10 and 21.2.1, Bridge is updated with version 10.1.1, and Mobile Reader is fixed with version 20.3.
On July 14, Adobe issued patches fixing 13 vulnerabilities — four critical –spread out among five products, including Download Manager, ColdFusion, Genuine Service, Media Encoder and the Creative Cloud Desktop Application.