The security bugs could open the door for arbitrary code-execution and full takeover of targeted machines.

Adobe has released security patches tackling four critical vulnerabilities in Adobe Bridge, along with other critical and important-rated updates for bugs in Adobe Digital Editions, Adobe Photoshop, and RoboHelp.

In all, Adobe fixed 10 security holes in its products during its scheduled April updates, seven of them listed as critical.

None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.

“This month, Adobe had four updates for Photoshop, Digital Editions, Bridge, and Robohelp and all rated as Priority 3,” Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. “The reasoning behind Adobe’s prioritization is because this update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.”

Goettl noted that this is an aspect of vendor severity ratings that many don’t take into account – if applications are less likely to be targeted by threat actors, Adobe sets the severity of the vulnerability lower, regardless of how severe of a bug it may be. Thus, patching priority should be determined on an organization-by-organization basis.

“While historical evidence reflects Adobe’s assessment accurately, it does not remove all risk,” he noted. “Photoshop has had as many as nine exploited CVEs over the years, the most recent being the CVEs in 2015. Of these four updates, Photoshop is the riskiest.”

Adobe Bridge Security Vulnerabilities

Adobe Bridge is a creative-asset manager that helps users preview, organize, edit and publish multiple creative assets in a streamlined way. It contains the four critical bugs as well as two “important” vulnerabilities:

  • CVE-2021-21093 and CVE-2021-21092 are critical memory-corruption issues leading to arbitrary code execution;
  • CVE-2021-21094 and CVE-2021-21095 are critical out-of-bounds write bugs also leading to arbitrary code execution;
  • CVE-2021-21091 is an important out-of-bounds read issue that could lead to information disclosure;
  • And CVE-2021-21096 stems from improper authorization and allows privilege escalation.

“Arbitrary code execution, or ACE, vulnerabilities provide an adversary a platform to quickly execute additional code or applications on a target system, opening the door to lateral movement or quick exfiltration of system data,” Jay Goodman, manager of product marketing at Automox, said via email.

The fully patched versions. Source: Adobe

Other Adobe Patches for April
Adobe also addressed two critical vulnerabilities in Photoshop, its popular photo-editing software (CVE-2021-28548 and CVE-2021-28549). Both are buffer-overflow bugs that allow arbitrary code execution.

Adobe Photoshop update
The fully patched versions. Source: Adobe

The company also patched a final critical vulnerability in Adobe Digital Editions, CVE-2021-21100, which is a privilege-escalation problem allowing an arbitrary file-system write. Digital Editions is Adobe’s e-Book reader software used for acquiring, managing and reading e-books, digital newspapers and other digital publications.

“This vulnerability allows an attacker to force the target application to overwrite any file on a system as a privileged user,” Goodman said. “This can allow an attacker to take a system offline by overwriting critical system files.”

Adobe Digital Editions UpdateThe fully patched version. Source: Adobe

And finally, Adobe patched one important-rated vulnerability in RoboHelp, which is a platform for authoring technical articles and how-tos. The bug, tracked as CVE-2021-21070, is an uncontrolled search path element that could allow privilege escalation.

Adobe Robo Help
The fully patched version. Source: Adobe

sers can enable auto-updates for the bugs by going to Help > Check for Updates.

“These vulnerabilities should be patched within the 72-hour window to ensure attackers do not have the time to weaponize them against your organization,” Goodman noted.

Article originally appeared:

If you have been infected with malware, or suspect you might be, contact us, and we will give you a free assessment of your network.