Network Security, Patch/Configuration Management, Vulnerability Management

Patch Tuesday: Adobe announces 25 bug fixes, 21 in Acrobat products

On the last Patch Tuesday of 2019, Adobe today released security updates for Acrobat and Acrobat Reader, Photoshop CC, Brackets and ColdFusion, fixing 25 critical and important vulnerabilities in the process.

Twenty-one of the flaws were found in various Acrobat and Acrobat Reader products for the Windows and macOS platforms. Of these, 14 are critical, including two out-of-bounds writes, five use-after-free bugs, one heap overflow, one buffer error, four untrusted point dereference instances and one security bypass -- all of which can result in arbitrary code execution.

The remainder of the Acrobat flaws consist of six out-of-bounds read vulnerabilities and a binary planting/default folder privilege escalation bug, all of which can allow potential attackers to achieve privilege escalation.

The products are fixed with the following releases: Acrobat DC and Acrobat Reader DC v 2019.021.20058, Acrobat 2017 and Acrobat Reader 2017 v 2017.011.30156, and Acrobat 2015 and Acrobat Reader 2015 v 2015.006.30508. Earlier versions of these products remain vulnerable.

Adobe also repaired two critical memory corruption vulnerabilities in Photoshop CC with the release of versions 20.0.8 and 21.0.2. If not patched, both could result in arbitrary code execution.

The last of the critical flaws was identified as a command injection vulnerability that could cause arbitrary code execution in the Brackets open-source web design editor. The coding mistake was amended with the release of version 1.14.1 for Windows, Linux and macOS.

Finally, Adobe's ColdFusion rapid web-application development platform was updated in order to eradicate a single vulnerability that could enable privilege escalation by way of insecure inherited permissions of a default installation directory. Users are advised to apply the ColdFusion update, along with any corresponding Java Development Kit and Java Runtime Environment updates.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.