Adobe’s Surprise Security Bulletin – Mainly Critical Patches!

Adobe has released a massive out-of-band security update this week, addressing 92 vulnerabilities across 14 products.

Out of 92 security vulnerabilities, 66 are rated critical in severity, mostly allowing code execution. The most severe can lead to information disclosure.

The majority of the disclosed bugs are critical-severity problems, & most allow arbitrary code execution (ACE). Privilege escalation, denial-of-service & memory leaks/information disclosure are all well-represented, too.

Commonality

Adobe After Effects, Animate, Audition, Bridge, Character Animator, Illustrator, InDesign, Lightroom Classic, Media Encoder, Photoshop, Prelude, Premiere Pro, Premiere Elements & the XMP Toolkit SDK all received patches.

There is plenty of commonality across the advisories. For instance, the lion’s share of the bugs allow access to a memory location after the end of a buffer, leading to ACE (a type of memory issue that can be exploited, like a standard buffer overflow in the worst-case scenario).

NULL Pointer Dereference

Also, almost all of the critical problems rate 7.8 on the CVSS vulnerability severity scale, except for 1 type. The advisory lists “NULL pointer dereference bugs causing memory leak” flaws as the most severe issues in the bunch, all rating 8.3 on the CVSS scale.

These pop up in Bridge, Media Encoder, Prelude & Premiere Elements (& are italicized, below).

Adobe Oct. Out-of-Band CVEs

Here is the full breakdown of the critical bugs:

After Effects:

• CVE-2021-40751, CVE-2021-40752, CVE-2021-40753, CVE-2021-40754, CVE-2021-40755, CVE-2021-40757, CVE-2021-40758, CVE-2021-40759, CVE-2021-40760 (Access of Memory Location After End of Buffer/ACE)

Animate:

• CVE-2021-40733, CVE-2021-42266, CVE-2021-42267 (Access of Memory Location After End of Buffer/ACE)
• CVE-2021-42268 (NULL Pointer Dereference/ACE)
• CVE-2021-42269 (Use After Free/ACE)
• CVE-2021-42270, CVE-2021-42271, CVE-2021-42272, CVE-2021-42524 (Out-of-Bounds Write/ACE)

Audition:

• CVE-2021-40734, CVE-2021-40735, CVE-2021-40736, CVE-2021-40738, CVE-2021-40739, CVE-2021-40740 (Access of Memory Location After End of Buffer/ACE)

Bridge:

• CVE-2021-40750 (NULL Pointer Dereference/memory leak)
• CVE-2021-42533 (Double Free/ACE)
• CVE-2021-42722, CVE-2021-42720, CVE-2021-42719 (Out-of-Bounds Read/ACE)
• CVE-2021-42728 (Buffer Overflow/ACE)
• CVE-2021-42724, CVE-2021-42729, CVE-2021-42730 (Access of Memory Location After End of Buffer/ACE)

Character Animator:

• CVE-2021-40763, CVE-2021-40764, CVE-2021-40765 (Access of Memory Location After End of Buffer/ACE)

Illustrator:

• CVE-2021-40718 (Out-of-Bounds Read/memory leak)
• CVE-2021-40746 (Out-of-Bounds Read/ACE)

InDesign:

• CVE-2021-42732 (Access of Memory Location After End of Buffer/ACE)
• CVE-2021-42731 (Buffer Overflow/ACE)

Lightroom Classic:

• CVE-2021-40776 (Creation of Temporary File in Directory with Incorrect Permissions/privilege escalation)

Media Encoder:

• CVE-2021-40778 (NULL Pointer Dereference/memory leak)
• CVE-2021-40777, CVE-2021-40779, CVE-2021-40780 (Access of Memory Location After End of Buffer/ACE)

Photoshop:

• CVE-2021-42735 (Access of Memory Location After End of Buffer/ACE)
• CVE-2021-42736 (Buffer Overflow/ACE)

Prelude:

• CVE-2021-40773 (NULL Pointer Dereference/memory leak)
• CVE-2021-42733 (Improper Input Validation/ACE)
• CVE -2021-40775, CVE-2021-42738, CVE-2021-42737, CVE-2021-40772, CVE-2021-40771 (Access of Memory Location After End of Buffer/ACE)

Premiere Elements:

• CVE-2021-40785 (NULL Pointer Dereference/memory leak)
• CVE-2021-40786, CVE-2021-40787, CVE-2021-42526, CVE-2021-42527 (Access of Memory Location After End of Buffer/ACE)

Premiere Pro:

• CVE-2021-40792, CVE-2021-40793, CVE-2021-40794 (Access of Memory Location After End of Buffer/ACE)

XMP Toolkit SDK:

• CVE-2021-42529, CVE-2021-42530, CVE-2021-42531, CVE-2021-42532 (Stack-Based Buffer Overflow/ACE)

Credited Researchers

This bulletin was prompted by findings from 2 teams that deserve awards: Adobe variously credited researchers from TopSec Alpha Team & Trend Micro’s Zero-Day Initiative (ZDI) for most of the bugs, except for CVE-2021-40746 in Illustrator, credited to “Tmgr.”

This could also explain some of the commonalities in the bulletins.

“Of the patches released by Adobe, 9 of these came through the ZDI program,” Dustin Childs of ZDI explained.

File-Parsing Bugs

“Most of these are simple file-parsing bugs, but there are a couple of critical-rated out-of-bounds (OOB) write bugs as well. For these, the vulnerability results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure.

An attacker can use these bugs to execute code in the context of the current process.”

The fixes come 2 weeks after Adobe released its normal monthly Patch  Tues. patches. A company spokesperson characterized the release as “planned” rather than an emergency response &, Adobe stated in its advisories that there’s no evidence that any of the bugs are being exploited in the wild.

Non-Patch Tues. Dates

“While we strive to release regularly scheduled updates on Patch Tues., occasionally these regularly scheduled security updates are released on non-Patch Tues. dates,” a company spokesperson told the Register.

The advisory for Bridge is listed as priority 2 for patching, which in Adobe speak means that the product has historically been at elevated risk for exploitation, so it comes with a recommendation that administrators patch within 30 days. The other advisories are priority 3, which is the lowest risk level, meaning that administrators can patch “at their discretion.”

https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/