Common Flaws Adobe Patches in Acrobat, Brackets, Photoshop

Adobe Patches

The December 2019 update of Adobe Patch Tuesday fixes vulnerabilities in Acrobat and Reader, Brackets, Photoshop and ColdFusion products.

A maximum of 21 vulnerabilities, including critical outbound writing, usage-after-free, heap overflow, buffer failure, unreliant pointer dereference and protection bypass problems that may be used for arbitrary software execution, are patched in Acrobat and Reader.

The analysis of acrobat and reader vulnerabilities in Adobe has been accepted by independent experts and researchers from Google, tencent, SEFCOM Lab, Cisco, HTBLA Leonding, Baidu, STAR Labs, the Renmin University of China, and Palo Alto Network.

In Photoshop CC, Adobe fixed two critical memory corruption flaws that can be used in the context of the current user to execute arbitrary code.

Adobe repatches a crucial injection flaw found by Google Project Zero researcher Tavis Ormandy in the source code editor of Brackets. The expert has yet to publish any information, but he will probably do so in the next year.

Adobe has fixed a significant privilege escalation vulnerability in ColdFusion triggered by unsecure inherited permissions from the default installation directory. The company noted that during the installation, users who followed the lockdown process are not affected.

Adobe states that there is no evidence that any of these flaws have been exploited in the wild and although some have been classified as “critical,” the priority ratings assigned to them suggest that the company does not expect to use the flaws during attacks.

Customer support for Acrobat 2015 and Reader 2015 has been recently informed by Adobe on 7 April 2020, and after that date the products won’t receive any security patches.

The Microsoft Patch Tuesday update for December 2019 addresses 36 bugs, including Windows privilege escalation bug exploited in Chrome zero-day attacks.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.