In recent weeks, more and more critical software vulnerabilities have been cropping up. Industry leaders and their research and security teams have been reporting several flaws in some of the most popular, publicly used software out there. These security flaws, more appropriately called bugs, have been found within mainstream software products that are used by millions of people and are highly established in the public cyberspace domain. Specifically, recent weeks have displayed vulnerabilities especially within apps and software sourced from industry giants like Google. It is not only Google that is in the mix though, but their biggest rival Microsoft that has had recent experiences with dodgy vulnerabilities as well. Even still, to top it off the most widely used website building and blogging software (CMS) WordPress has also experienced similar flaws within some of its plugins. There seems to be a pattern of arbitrary code execution vulnerabilities out there, that are currently abundant across the industry.
This time, multimedia and creativity software pioneer Adobe’s official ‘Adobe Security Bulletin’ web page has reported several vulnerabilities in three of its products; Adobe Premiere Pro, Adobe Photoshop, and finally Adobe Prelude. The multiple flaws affecting the three completely different software products were all reported on July 20th, 2021 by security researchers.
Details About The Adobe Vulnerabilities
The current vulnerabilities in the Adobe product line range are marked as critical. All of the vulnerabilities can lead to an attacker remotely compromising (controlling) a user’s system where arbitrary code can be executed via a ‘specially crafted file’. The vulnerabilities have been described as follows;
- A critical vulnerability in Adobe Premiere Pro (CVE-2021-35997) entails an ‘access of memory location after end of buffer’ vulnerability. This vulnerability allows a remote attacker to compromise the affected system. The vulnerability is caused by a ‘boundary error’ when processing media files which can trick the user into opening an illegitimate file thereby allowing an attacker full remote system access.
- A critical Vulnerability in Adobe Photoshop (CVE-2021-36005) entails a ‘stack-based buffer overflow’ vulnerability. This one is also caused by a ‘boundary error’. If successfully exploited, it can allow an attacker to remotely control the user’s system.
- Critical vulnerabilities in Adobe Prelude (CVE-2021-36007/35999) that entail ‘improper input validation’ and ‘access of memory location after end of buffer’ vulnerabilities. These vulnerabilities, like the other two, can also allow a remote attacker to fully compromise the target system. The difference is that this vulnerability has two sub-issues. The first issue is caused by insufficient validation of user-supplied input, and the second is yet again the same boundary error.
What is a Software Vulnerability?
According to the Berkman Klein Center For Internet & Society At Harvard University; ‘Software is not secure when it has defects or flaws which can be exploited by hackers to cause attacks such as unauthorized intrusion or denial of service attacks. Any public announcement about a software defect is termed as ‘vulnerability disclosure’.
The Adobe Priority And Severity Ratings System
All of the above vulnerabilities have been given a priority rating of 3, and a severity rating of critical. Adobe’s official web page offers insight into their priority and severity rating system, via which vulnerabilities are judged. The official scales are as follows;
Important Information For Users
Adobe has released software updates that address these issues. CQY of Topsec Alpha Team, Mat Powell of Trend Micro Zero Day Initiative, and Yongjun Liu of nsfocus security team have reported and worked on the issues to protect customers. Official information that will interest users of these software products is listed below. The latest information is as follows;
- Adobe PremierePro 15.2 and earlier versions are affected (Windows and macOS)
- Adobe Photoshop 2020 21.2.9/2021 22.4.2 and earlier versions are affected (Windows and macOS)
- Adobe Prelude 10.0 and earlier versions are affected (Windows)
Adobe recommends that individual users immediately update all of the above software products to the latest version via the Creative Cloud desktop update mechanism. Users can also refer to the help Creative Cloud help page for installation and update tips. As for enterprise environments, Adobe recommends that IT administrators ‘can use the Admin Console to deploy Creative Cloud applications to end users’.