Adobe Systems on Patch Tuesday issued fixes for 13 vulnerabilities — four critical — spread out among five products, including Download Manager, ColdFusion, Genuine Service, Media Encoder and the Creative Cloud Desktop Application.
Download Manager 126.96.36.1998 for Windows contains a command injection flaw (CVE-2020-9688), that can cause arbitrary code execution. Discovered by researcher Dhiraj Mishra, the bug has been repaired with the release of version 188.8.131.529.
Two more critical vulnerabilities that can result in arbitrary code execution were found in Media Encoder 14.2 and earlier versions for Windows. Discovered by the Trend Micro Zero Day Initiative and fixed in version 14.3, the bugs (CVE-2020-9650, CVE-2020-9646) are caused by an out-of-bounds write condition. Media Encoder was also discovered to have an important information disclosure issue, caused by an out-of-bounds read.
The final critical vulnerability is one of four bugs that were found in Creative Cloud Desktop Application 5.1 and earlier versions for Windows. Described as a Symlink vulnerability capable of an arbitrary file system write, the bug CVE-2020-9682 was uncovered by Zhongcheng Li of Topsec Alpha Team and fixed in version 5.2.
The there other Creative Cloud flaws were all deemed important in severity and categorized as privilege escalation bugs.
ColdFusion 2016 and ColdFusion 2018 (for all platforms) were also patched after the discovery of two important DLL search-order hijacking vulnerabilities that can cause privilege escalation, and Genuine Service for Windows and macOS was updated to fix three additional privilege escalation flaws.