Adobe has released a slew of patches for critical vulnerabilities that were part of an out-of-band security update. Many of the critical flaws are tied to the popular Adobe Photoshop photo-editing software and allow adversaries to execute arbitrary code on targeted Windows devices.
Adobe issued patches for flaws tied to 12 CVEs across Prelude, Bridge, and Photoshop applications. The unscheduled updates come a week after the company issued its official July 2020 security updates, including critical code-execution bugs. It was commented by Adobe that it was unaware of any exploits in the wild for any of the bugs patched in the update and it didn’t provide technical details regarding the Photoshop CVEs.
All of the reported critical flaws originate from out-of-bounds read and write vulnerabilities that happen when the software reads data past the end of – or before the beginning of – the intended buffer, which can potentially lead to corruption of sensitive information, a crash, or code execution among other things.
Adobe Photoshop features three out-of-bound write (CVE-2020-9684, CVE-2020-9685, CVE-2020-9687) and two out-of-bounds read flaws (CVE-2020-9683, CVE-2020-9686) issues. According to Adobe, all of them may “lead to arbitrary code execution in the context of the current user.”
The Photoshop vulnerabilities has an effect on Photoshop CC 2019 versions 20.0.9 and earlier and Photoshop 2020 21.2 and earlier (for Windows). Users can update to versions 20.0.10 and 21.2.1, respectively.
