Adobe July patch roundup includes fixes for its ubiquitous and totally free PDF reader Acrobat 2020 and other software program these as Illustrator and Bridge.
Eleven critical bugs in Adobe’s preferred and no cost PDF reader, Acrobat, open each Window and macOS end users to assaults ranging from an adversary arbitrarily executing instructions on a focused technique to data leakage tied to method-browse and memory flaws.
In a Tuesday security bulletin, which incorporated patches for all flaws, the company documented that Windows and macOS versions of Acrobat were being equally vulnerable. Adobe added however that it was not informed of any abuse of the bugs in the wild.
The free Acrobat Reader 2020 and PDF-generation and enhancing program Acrobat 2020 were amongst the record of all those programs with critical bugs patched. Adobe also patched Acrobat DC, Acrobat DC Reader, Acrobat Reader 2017 and Acrobat 2017. In all, Adobe patched 20 Acrobat bugs, with nine rated essential.
Two of the most major Acrobat vulnerabilities are use-just after-cost-free flaws (CVE-2021-28641, CVE-2021-28639) that, in a worst situation circumstance, permit an adversary to execute code arbitrarily on qualified techniques or just build application crashes.
One of the more exciting critical bugs patched is a variety of vulnerability called an “uncontrolled search route element” flaw (CVE-2021-28636). The vulnerability class also goes by the names DLL preloading, insecure library loading and dependency confusion. It’s unclear how the weakness was released to Adobe Acrobat. The security bulletin one-way links to a generic description of the flaw which states:
“The product or service uses a fixed or managed look for path to obtain resources, but just one or far more locations in that path can be beneath the handle of unintended actors… In some conditions, the attack can be executed remotely, this sort of as when SMB or WebDAV network shares are utilised,” in accordance to a MITRE description of the vulnerability sort.
Adobe Illustrator and Bridge, Also Patched
Extra Adobe goods were being also part of the vendor’s roundup of fixes, Bridge, Framemaker Dimension and Illustrator.
Four critical bugs in Adobe’s Bridge, a free of charge application for taking care of digital belongings, were being patched. These incorporate a heap-primarily based buffer-overflow flaw (CVE-2021-28624), incorrect enter-validation vulnerability (CVE-2021-35991) and two arbitrary code-execution bugs (CVE-2021-35989, CVE-2021-35990).
A heap-based mostly buffer overflow enables for arbitrary code execution by an adversary leading to both a method crash, infinite loop restart of a program or a kind of denial-of-company attack based on CPU or memory overconsumption. Craze Micro Zero Working day Initiative researcher Tran Van Khang is credited for figuring out the bug.
1 critical flaw (CVE-2021-28596) was documented, and patched, in Adobe’s Windows model of its higher-close document processing software package FrameMaker. This arbitrary code-execution bug is labeled as an out-of-bounds create vulnerability, indicating an adversary could create an exploit that target’s a techniques memory, exactly where the malicious application writes information past the stop, or just before the commencing, of the intended memory buffer. This can possibly corrupt data, or crash a focused procedure or allow a hacker to execute code on the focused system.
Check out our totally free upcoming dwell and on-demand webinar situations – unique, dynamic conversations with cybersecurity specialists and the Threatpost community.
Some parts of this article are sourced from:
threatpost.com