Adobe has released patches for critical zero-day vulnerabilities found in its ColdFusion and InDesign products, both of which left the door open for arbitrary code execution attacks.
The two critical fixes were among 15 patches the company made available this week — three for ColdFusion and 12 for InDesign — as part of its regular monthly security update service.
Adobe warned the ColdFusion vulnerabilities — affecting the 2018, 2021 and 2023 versions of its web-application development platform — could “lead to arbitrary code execution and security feature bypass”.
The most serious of the three bugs, CVE-2023-29300, was a deserialization of untrusted data vulnerability with a critical-severity CVSS v3 rating of 9.8.
In March this year, Adobe patched another critical ColdFusion vulnerability that could lead to arbitrary code execution and memory leak. At the time the company said it was aware the zero-day bug, tracked as CVE-2023-26360, had “been exploited in the wild in very limited attacks”.
Of the 12 patches released this week for Adobe’s InDesign desktop publishing software, the most serious related to CVE-2023-29308, a critical-severity vulnerability with a CVSS v3 rating of 7.8. It was an out-of-bounds write vulnerability that could result in arbitrary code execution if a victim opened a malicious file.
The other 11 InDesign vulnerabilities had severity classifications of ‘important’ and all had CVSS v3 ratings of 5.5.
All 12 vulnerabilities were reported by Yonghui Han of Fortinet’s FortiGuard Labs. In a blog post, the researcher said the one critical vulnerability in the group was tied to the decoding of QuarkXPress (QXD) desktop publishing files when they were utilized within InDesign.
“Specifically, the vulnerability is caused by a malformed QXD file, which causes an out-of-bounds memory write due to an improper bounds check,” he wrote.
“Attackers can exploit this vulnerability to execute arbitrary code within the context of the application via a crafted QXD file.”
The other 11 bugs he discovered were all out-of-bounds read vulnerabilities, and also all tied to the decoding of QXD files in InDesign. Again, crafting a malformed file could cause an out-of-bounds memory read due to an improper bounds check, and allow hackers to leak information.
This month marked the second time Yonghui Han has been credited with identifying 12 InDesign vulnerabilities that have been disclosed together in a single monthly update, the previous occasion was in September last year.
The dozen vulnerabilities patched this month “each have different root causes related to a single InDesign plugin,” he said in his post.
“Due to the severity of these vulnerabilities, we suggest that users apply the Adobe patch as soon as possible.”
The Cybersecurity and Infrastructure Security Agency (CISA) had not added any of this week’s 15 Adobe bugs to its Known Exploited Vulnerability Catalog but said in a brief advisory it “encourages users and administrators to review the Adobe security releases APSB23-38 and APSB23-40 and apply the necessary updates.”
