Network Security, Vulnerability Management

Patch Tuesday: Adobe eliminates four critical bugs

Adobe Systems on Patch Tuesday issued fixes for 13 vulnerabilities -- four critical -- spread out among five products, including Download Manager, ColdFusion, Genuine Service, Media Encoder and the Creative Cloud Desktop Application.

Download Manager 2.0.0.518 for Windows contains a command injection flaw (CVE-2020-9688), that can cause arbitrary code execution. Discovered by researcher Dhiraj Mishra, the bug has been repaired with the release of version 2.0.0.529.

Two more critical vulnerabilities that can result in arbitrary code execution were found in Media Encoder 14.2 and earlier versions for Windows. Discovered by the Trend Micro Zero Day Initiative and fixed in version 14.3, the bugs (CVE-2020-9650, CVE-2020-9646) are caused by an out-of-bounds write condition. Media Encoder was also discovered to have an important information disclosure issue, caused by an out-of-bounds read.

The final critical vulnerability is one of four bugs that were found in Creative Cloud Desktop Application 5.1 and earlier versions for Windows. Described as a Symlink vulnerability capable of an arbitrary file system write, the bug CVE-2020-9682 was uncovered by Zhongcheng Li of Topsec Alpha Team and fixed in version 5.2.

The there other Creative Cloud flaws were all deemed important in severity and categorized as privilege escalation bugs.

ColdFusion 2016 and ColdFusion 2018 (for all platforms) were also patched after the discovery of two important DLL search-order hijacking vulnerabilities that can cause privilege escalation, and Genuine Service for Windows and macOS was updated to fix three additional privilege escalation flaws.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.