Adobe fixes over a dozen flaws in Media Encoder, Download Manager

Pierluigi Paganini July 14, 2020

Adobe has addressed over a dozen flaws in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion and Download Manager products.

Adobe has addressed over a dozen vulnerabilities in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager products.

“Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB20-33), Adobe Media Encoder (APSB20-36), Adobe Genuine Service (APSB20-42), Adobe ColdFusion (APSB20-43) and Adobe Download Manager (APSB20-49).” reads the post published by Adobe. “Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.”

Adobe has released a security update for the Adobe Download Manager for Windows that addresses a critical vulnerability, tracked as CVE-2020-9688, that could lead to arbitrary code execution.   

Adobe addresses critical and important vulnerabilities in Creative Cloud Desktop Application for Windows. The exploitation of the flaws could lead to arbitrary file system write and privilege escalation in the context of the current user.        

Below the vulnerability details:Vulnerability Details

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Lack of Exploit MitigationsPrivilege escalationImportant CVE-2020-9669
Insecure File permissionsPrivilege escalationImportantCVE-2020-9671  
Symlink vulnerabilityPrivilege escalationImportantCVE-2020-9670
Symlink vulnerabilityArbitrary file system writeCriticalCVE-2020-9682

Adobe also fixes two critical out-of-bounds write and an important out-of-bound read vulnerability in Adobe Media Encoder that could lead to arbitrary code execution and information disclosure respectively in the context of the current user.  

Below the list of vulnerability:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
Out-of-Bounds ReadInformation Disclosure      ImportantCVE-2020-9649
Out-of-bounds WriteArbitrary Code Execution CriticalCVE-2020-9650CVE-2020-9646

Adobe also addresses security updates for ColdFusion versions 2016 and 2018. 

“Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple important vulnerabilities that could lead to privilege escalation.” states the advisory.

Finally, in ColdFusion 2016 and 2018, Adobe patched two important DLL hijacking vulnerabilities that can lead to privilege escalation.

Below the list of the issues patched by the company:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
DLL search-order hijacking Privilege escalation ImportantCVE-2020-9672CVE-2020-9673

The good news is that Adobe is not aware of any attacks in the wild exploiting these vulnerabilities.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment