Pierluigi Paganini
September 12, 2024
Adobe Patch Tuesday security updates addressed multiple vulnerabilities in its products, including critical flaws that could allow attackers to execute arbitrary code on Windows and macOS systems.
The most severe vulnerabilities are two critical memory corruption flaws in Acrobat and PDF Reader, tracked as CVE-2024-41869 (CVSS score of 7.8) and CVE-2024-45112 (CVSS score of 8.6).
The vulnerability CVE-2024-41869 is a Use After Free issue while the flaw CVE-2024-45112 is a Type Confusion’ bug.
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-41869 |
| Access of Resource Using Incompatible Type (‘Type Confusion’) (CWE-843) | Arbitrary code execution | Critical | 8.6 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | CVE-2024-45112 |
CVE-2024-45112 was reported by an anonymous researcher and the researcher Haifei Li of EXPMON and Check Point Research reported the flaw CVE-2024-41869.
The company also fixed the following critical flaws in Photoshop
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
|---|---|---|---|---|---|
| Heap-based Buffer Overflow (CWE-122) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-43756 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-43760 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-45108 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-45109 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-45110 |
and in the Illustrator software
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Numbers |
|---|---|---|---|---|---|
| Integer Underflow (Wrap or Wraparound) (CWE-191) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-41857 |
| Integer Overflow or Wraparound (CWE-190) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-34121 |
| Improper Input Validation (CWE-20) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-41856 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-45114 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-43758 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-45111 |
| NULL Pointer Dereference (CWE-476) | Application denial-of-service | Moderate | 3.3 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L | CVE-2024-43759 |
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Adobe)
