Adobe Fixes ‘Important’ Flaws in ColdFusion, After Effects and Digital Editions
While Adobe’s regularly scheduled security updates were light this month, they fixed “important” severity vulnerabilities.
Adobe released security patches for vulnerabilities in its ColdFusion, After Effects and Digital Editions applications. If exploited, the flaws could enable attackers to view sensitive data, gain escalated privileges, and launch denial-of-service attacks. Each of the bugs were rated important-severity, based on CVSS rankings, marking an extremely low-volume month for Adobe bug fixes.
Overall Adobe patched flaws tied to five CVEs as part of its regularly scheduled security updates, Tuesday. That number pales in comparison to March, where Adobe patched flaws in an out-of-band update tied to 41 CVEs across its products, 29 of which were critical in severity. In February Adobe patched flaws tied to 42 CVEs in its regularly scheduled updates, 35 of which were critical in severity.
“After several months of heavy and highly critical patches, Adobe is giving us a break of sorts,” said Jay Goodman, strategic product marketing manager, Automox, in a statement. “Although the CVEs are only marked as important, it is still a good cyber hygiene practice to get your applications patched to reduce your risk exposure.”
Three of the vulnerabilities disclosed this week were discovered in ColdFusion, Adobe’s commercial rapid web-application development platform. These flaws included an insufficient input validation flaw (CVE-2020-3767) that could enable application-level denial of service (DoS), a DLL search-order hijacking glitch (CVE-2020-3768) that could enable privilege escalation, and an improper access control (CVE-2020-3796) which could lead to system file structure disclosure.
Affected are Update 14 and earlier of ColdFusion 2016 (users are encouraged to update to Update 15) and Update 8 and earlier of ColdFusion 2018 (fixed in Update 9). These flaws have a Priority 2 update rating, meaning that the flaws were found in a product “that has historically been at elevated risk” – but “there are currently no known exploits,” according to Adobe.
Jason Troy (CVE-2020-3767), Nuttakorn Tungpoonsup and Ammarit Thongthua from Secure D Center’s research team and security researcher Sittikorn Sangrattanapitak (CVE-2020-3768) and Raki Ben Hamouda (CVE-2020-3796) were credited with discovering the flaws.
Adobe also patched an information disclosure flaw in Adobe After Effects, its digital visual effects, motion graphics, and compositing application, for Windows. The vulnerability (CVE-2020-3809) stems from an Out-of-Bounds read glitch. Matt Powell of Zero Day Initiative (ZDI) was credited with discovering the flaw.
Dustin Childs, manager with the ZDI program, told Threatpost that this flaw allows remote attackers to disclose sensitive information on affected installations of Adobe After Effects. User interaction is required to exploit this vulnerability, in that the target must visit a malicious page or open a malicious file, he said.
“The specific flaw exists within the parsing of TIF files,” Childs told Threatpost. “Crafted data in a TIF file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.”
Affected are After Effects versions 17.0.1 and earlier; a fix is available in versions 17.0.6 for Windows and macOS.
Another flaw, disclosed in Adobe Digital Editions, its ebook reader software program, could enable information disclosure. This vulnerability (CVE-2020-3798) stems from file enumeration (host or local network). Affected are versions of Digital Editions 220.127.116.11212 and below for Windows; users are encouraged to update to version 18.104.22.168303. Gertjan Franken and Tom Van Goethem from imec-DistriNet, KU Leuv were credited with discovering the flaws.