Sometimes, even global leaders in software can come across a variety of security vulnerabilities. The world’s most established software vendors such as Microsoft, Google, and now media colossus Adobe have all had their fair share of such issues. Being fully aware that cybercriminals are constantly looking for clever and novel ways to exploit security issues, software companies know that patching any security holes is at the top of the survival list. Threat actors (hackers and digital criminals) thrive on exploiting flaws in popular software, not to mention orchestrate nifty scams to steal credentials, which for them is a great way to gain exposure and ultimately bask in the digital limelight. Of course, the financial gain to be had is the proverbial cherry on top of the whole process.
The spotlight is once again shining on media colossus Adobe, which has had issues with a host of their widely used media software not long ago. This time, Adobe is once again experiencing software vulnerability déjà vu. Adobe has officially released a security vulnerability report detailing a critical issue with their Media Encoder product, as well as multiple other products. Adobe’s products are used by hundreds of thousands of companies, millions of individual users, have existed for over 20 years, and are regarded as the gold standard media software suite with a very wide range of uses e.g. video, audio, photography, design and more.
The Adobe Media Encoder Vulnerability
On August 17th, 2021, the official Adobe web page ‘Security Bulletin’ revealed bulletin ID APSB21-70. This is an ID code that Adobe ascribes to their security bulletins. The Adobe Security Bulletin has informed the public that a critical software vulnerability was found in the very widely used Adobe Media Encoder. The Adobe Media Encoder is an integral part of Adobe’s famous video editing platform Premiere Pro, as well as its special effects software After Effects. It is instrumental for video and audio editing conversion and compression at the final stages of a media project and is well known in the media industry.
The Technical Details
The technical details surrounding the Adobe Media Encoder vulnerability are as follows;
- This is a critical vulnerability
- It is classified as priority 3 according to Adobe’s Priority Rating System
- The vulnerability allows a remote attacker to compromise a vulnerable system
The CVE (Common Vulnerabilities and Exposures) ID code for this vulnerability is CVE-2021-36070. It is a remote code execution security flaw, due to a boundary error. It is an access of memory location after end of buffer vulnerability. In an unpatched system, this vulnerability may allow a remote attacker to create a specially crafted file whereby the victim using the software can be tricked into opening it. Following this process, if the victim uses the affected software this can trigger an out-of-bounds write and finally allow a remote attacker entry into the target system.
Vulnerable Software Versions
The following versions of Adobe Media Encoder have been affected by the above software vulnerability;
- 15.0
- 15.1
- 15.2
- 15.3
- 15.4
Additional Adobe Product Security Vulnerabilities
Apart from the Adobe Media Encoder vulnerability, Adobe has also published other product vulnerabilities on its security bulletin. The below information is important for users that are using these products. This includes;
- Adobe InCopy
- Adobe Photoshop
- Adobe Bridge
- Adobe Commerce and Magento Open Source
All of the above software vulnerabilities range from important to critical, and if unpatched could lead to system compromise from a remote attacker. Information about the vulnerable software versions for each respective product can be accessed via each link above.
Important Information For Users of Adobe Products
Fixes have been released for the above issues. Users of Adobe Media Encoder, InCopy, Photoshop, Bridge, Commerce, and Magento Open source should immediately check if their software is updated to the latest respective patch. The Adobe Software Suite should automatically update for all users, or display a prompt. For further information, users should refer to Adobe’s Product Security Update web page where the latest security information and guidance can be found about every Adobe product. Alternatively, users can email Adobe’s Product Security Incident Response Team at [email protected] for additional assistance.
