On the last Patch Tuesday of 2019, Adobe today released security updates for Acrobat and Acrobat Reader, Photoshop CC, Brackets and ColdFusion, fixing 25 critical and important vulnerabilities in the process.
Twenty-one of the flaws were found in various Acrobat and Acrobat Reader products for the Windows and macOS platforms. Of these, 14 are critical, including two out-of-bounds writes, five use-after-free bugs, one heap overflow, one buffer error, four untrusted point dereference instances and one security bypass — all of which can result in arbitrary code execution.
The remainder of the Acrobat flaws consist of six out-of-bounds read vulnerabilities and a binary planting/default folder privilege escalation bug, all of which can allow potential attackers to achieve privilege escalation.
The products are fixed with the following releases: Acrobat DC and Acrobat Reader DC v 2019.021.20058, Acrobat 2017 and Acrobat Reader 2017 v 2017.011.30156, and Acrobat 2015 and Acrobat Reader 2015 v 2015.006.30508. Earlier versions of these products remain vulnerable.
Adobe also repaired two critical memory corruption vulnerabilities in Photoshop CC with the release of versions 20.0.8 and 21.0.2. If not patched, both could result in arbitrary code execution.
The last of the critical flaws was identified as a command injection vulnerability that could cause arbitrary code execution in the Brackets open-source web design editor. The coding mistake was amended with the release of version 1.14.1 for Windows, Linux and macOS.
Finally, Adobe’s ColdFusion rapid web-application development platform was updated in order to eradicate a single vulnerability that could enable privilege escalation by way of insecure inherited permissions of a default installation directory. Users are advised to apply the ColdFusion update, along with any corresponding Java Development Kit and Java Runtime Environment updates.