Adobe fixes over a dozen flaws in Media Encoder, Download Manager

Adobe has addressed over a dozen flaws in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion and Download Manager products.

Adobe has addressed over a dozen vulnerabilities in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager products.

“Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB20-33), Adobe Media Encoder (APSB20-36), Adobe Genuine Service (APSB20-42), Adobe ColdFusion (APSB20-43) and Adobe Download Manager (APSB20-49).” reads the post published by Adobe. “Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.”

Adobe has released a security update for the Adobe Download Manager for Windows that addresses a critical vulnerability, tracked as CVE-2020-9688, that could lead to arbitrary code execution.  

Adobe addresses critical and important vulnerabilities in Creative Cloud Desktop Application for Windows. The exploitation of the flaws could lead to arbitrary file system write and privilege escalation in the context of the current user.

Below the vulnerability details:Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVE Numbers
Lack of Exploit Mitigations	Privilege escalation	Important	CVE-2020-9669
Insecure File permissions	Privilege escalation	Important	CVE-2020-9671
Symlink vulnerability	Privilege escalation	Important	CVE-2020-9670
Symlink vulnerability	Arbitrary file system write	Critical	CVE-2020-9682

Adobe also fixes two critical out-of-bounds write and an important out-of-bound read vulnerability in Adobe Media Encoder that could lead to arbitrary code execution and information disclosure respectively in the context of the current user.  

Below the list of vulnerability:

Vulnerability Category	Vulnerability Impact	Severity	CVE Numbers
Out-of-Bounds Read	Information Disclosure	Important	CVE-2020-9649
Out-of-bounds Write	Arbitrary Code Execution	Critical	CVE-2020-9650CVE-2020-9646

Adobe also addresses security updates for ColdFusion versions 2016 and 2018.

“Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple important vulnerabilities that could lead to privilege escalation.” states the advisory.

Finally, in ColdFusion 2016 and 2018, Adobe patched two important DLL hijacking vulnerabilities that can lead to privilege escalation.

Below the list of the issues patched by the company:

Vulnerability Category	Vulnerability Impact	Severity	CVE Numbers
DLL search-order hijacking	Privilege escalation	Important	CVE-2020-9672CVE-2020-9673

The good news is that Adobe is not aware of any attacks in the wild exploiting these vulnerabilities.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.