Adobe fixes over a dozen flaws in Media Encoder, Download Manager

Adobe has addressed over a dozen flaws in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion and Download Manager products.

Adobe has addressed over a dozen vulnerabilities in its Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager products.

“Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB20-33), Adobe Media Encoder (APSB20-36), Adobe Genuine Service (APSB20-42), Adobe ColdFusion (APSB20-43) and Adobe Download Manager (APSB20-49).” reads the post published by Adobe. “Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.”

Adobe has released a security update for the Adobe Download Manager for Windows that addresses a critical vulnerability, tracked as CVE-2020-9688, that could lead to arbitrary code execution.   

Adobe addresses critical and important vulnerabilities in Creative Cloud Desktop Application for Windows. The exploitation of the flaws could lead to arbitrary file system write and privilege escalation in the context of the current user.        

Below the vulnerability details:Vulnerability Details

Vulnerability CategoryVulnerability ImpactSeverityCVE NumbersLack of Exploit MitigationsPrivilege escalationImportant CVE-2020-9669Insecure File permissionsPrivilege escalationImportantCVE-2020-9671  Symlink vulnerabilityPrivilege escalationImportantCVE-2020-9670Symlink vulnerabilityArbitrary file system writeCriticalCVE-2020-9682Adobe also fixes two critical out-of-bounds write and an important out-of-bound read vulnerability in Adobe Media Encoder that could lead to arbitrary code execution and information disclosure respectively in the context of the current user.  

Below the list of vulnerability:

Vulnerability CategoryVulnerability ImpactSeverityCVE NumbersOut-of-Bounds ReadInformation Disclosure      ImportantCVE-2020-9649Out-of-bounds WriteArbitrary Code Execution CriticalCVE-2020-9650CVE-2020-9646Adobe also addresses security updates for ColdFusion versions 2016 and 2018. 

“Adobe has released security updates for ColdFusion versions 2016 and 2018. These updates resolve multiple important vulnerabilities that could lead to privilege escalation.” states the advisory.

Finally, in ColdFusion 2016 and 2018, Adobe patched two important DLL hijacking vulnerabilities that can lead to privilege escalation.

Below the list of the issues patched by the company:

Vulnerability CategoryVulnerability ImpactSeverityCVE NumbersDLL search-order hijacking Privilege escalation ImportantCVE-2020-9672CVE-2020-9673The good news is that Adobe is not aware of any attacks in the wild exploiting these vulnerabilities.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

The post Adobe fixes over a dozen flaws in Media Encoder, Download Manager appeared first on Security Affairs.