Adobe fixes over a dozen flaws in Media Encoder, Download Manager

Adobe has addressed over a dozen flaws in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion and Download Manager products.

Adobe has addressed over a dozen vulnerabilities in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager products.

“Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB20-33), Adobe Media Encoder (APSB20-36), Adobe Genuine Service (APSB20-42), Adobe ColdFusion (APSB20-43) and Adobe Download Manager (APSB20-49).” reads the post published by Adobe. “Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.”

Adobe has released a security update for the Adobe Download Manager for Windows that addresses a critical vulnerability, tracked as CVE-2020-9688, that could lead to arbitrary code execution.   

Adobe addresses critical and important vulnerabilities in Creative Cloud Desktop Application for Windows. The exploitation of the flaws could lead to arbitrary file system write and privilege escalation in the context of the current user.        

Below the vulnerability details:Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVE Numbers
Lack of Exploit Mitigations	Privilege escalation	Important	CVE-2020-9669
Insecure File permissions	Privilege escalation	Important	CVE-2020-9671
Symlink vulnerability	Privilege escalation	Important	CVE-2020-9670
Symlink vulnerability	Arbitrary file system write	Critical	CVE-2020-9682

Adobe also fixes two critical out-of-bounds write and an important out-of-bound read vulnerability in Adobe Media Encoder that could lead to arbitrary code execution and information disclosure respectively in the context of the current user.  

Below the list of vulnerability:

Vulnerability Category	Vulnerability Impact	Severity	CVE Numbers
Out-of-Bounds Read	Information Disclosure	Important	CVE-2020-9649
Out-of-bounds Write	Arbitrary Code Execution	Critical	CVE-2020-9650CVE-2020-9646

Adobe also addresses security updates for ColdFusion versions 2016 and 2018. 

“Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple important vulnerabilities that could lead to privilege escalation.” states the advisory.

Finally, in ColdFusion 2016 and 2018, Adobe patched two important DLL hijacking vulnerabilities that can lead to privilege escalation.

Below the list of the issues patched by the company:

Vulnerability Category	Vulnerability Impact	Severity	CVE Numbers
DLL search-order hijacking	Privilege escalation	Important	CVE-2020-9672CVE-2020-9673

The good news is that Adobe is not aware of any attacks in the wild exploiting these vulnerabilities.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

[adrotate banner=”5″]

[adrotate banner=”13″]