Adobe Critical Code-Execution Flaws Plague Windows Users:
Adobe has issued patches for a slew of critical security vulnerabilities, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.
Affected products include Adobe's Framemaker document processor, designed for writing and editing large or complex documents; Adobe's Connect software used for remote web conferencing; and the Adobe Creative Cloud software suite for video editing.
"Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates," according to an Adobe spokesperson.
Adobe fixed a critical flaw (CVE-2021-21056) in Framemaker, which could allow for arbitrary code execution if exploited. The vulnerability is an out-of-bounds read error; which is a type of buffer-overflow flaw where the software reads data past the end of the intended buffer. An attacker who can read out-of-bounds memory might be able to get "secret values" (like memory addresses) that could ultimately allow him to achieve code execution or denial of service.
[...] Adobe also fixed three critical vulnerabilities in the desktop application version of Adobe Creative Cloud for Windows users.
Two of the three critical flaws could enable arbitrary code execution: One of these (CVE-2021-21068) stems from an arbitrary file-overwrite hole, while the other (CVE-2021-21078) exists due to an OS command-injection error. The third critical flaw (CVE-2021-21069) stems from improper input validation and could allow an attacker to gain escalated privileges.
[...] Several critical- and important-severity bugs were patched in Adobe Connect.
One critical bug (CVE-2021-21078) stemmed from improper input validation; this could allow for arbitrary code execution.
And, three important cross-site scripting (XSS) flaws (CVE-2021-21079, CVE-2021-21080, CVE-2021-21081) were patched. These could allow for arbitrary JavaScript execution in the victim's browser, if exploited.
Related Stories
On Tuesday, Adobe unveiled Firefly, its new AI image synthesis generator. Unlike other AI art models such as Stable Diffusion and DALL-E, Adobe says its Firefly engine, which can generate new images from text descriptions, has been trained solely on legal and ethical sources, making its output clear for use by commercial artists. It will be integrated directly into Creative Cloud, but for now, it is only available as a beta.
Since the mainstream debut of image synthesis models last year, the field has been fraught with issues around ethics and copyright. For example, the AI art generator called Stable Diffusion gained its ability to generate images from text descriptions after researchers trained an AI model to analyze hundreds of millions of images scraped from the Internet. Many (probably most) of those images were copyrighted and obtained without the consent of their rights holders, which led to lawsuits and protests from artists.
Related:
Paper: Stable Diffusion "Memorizes" Some Images, Sparking Privacy Concerns
90% of Online Content Could be 'Generated by AI by 2025,' Expert Says
Getty Images Targets AI Firm For 'Copying' Photos
Adobe Stock Begins Selling AI-Generated Artwork
A Startup Wants to Democratize the Tech Behind DALL-E 2, Consequences be Damned
Adobe Creative Cloud Experience Makes It Easier to Run Malware
Adobe Goes After 27-Year Old 'Pirated' Copy of Acrobat Reader 1.0 for MS-DOS
Adobe Critical Code-Execution Flaws Plague Windows Users
When Adobe Stopped Flash Content from Running it Also Stopped a Chinese Railroad
Adobe Has Finally and Formally Killed Flash
Adobe Lightroom iOS Update Permanently Deleted Users' Photos
(Score: 3, Informative) by stretch611 on Wednesday March 10 2021, @10:37PM
Adobe needs something in the tech news in order to stay relevant.
It just decided that buggy software is what it is known for.
Honestly, I am only surprised by the fact that Adobe Reader (pdf) is not one of the programs with the critical flaws. (Though I am sure it will be listed the next time.)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 4, Insightful) by looorg on Wednesday March 10 2021, @10:41PM
How many horrible crippling flaws can one company be responsible for before one starts to wonder what is really wrong at the company. It just seems like Adobe is punching well above their reach.
(Score: 2, Insightful) by aristarchus on Wednesday March 10 2021, @10:48PM (8 children)
Is it really the fault of an incompetent software company, and arrestors of conference participants [cnet.com], that their product opens vulnerabilities in a insecure operating system? Is it right to blame the proximate cause, or the underlying common defect? Windows. The problem is Microsoft. Adobe is a symptom.
(Score: 2, Touché) by fustakrakich on Wednesday March 10 2021, @11:07PM
Not really a symptom, they just prefer that you use a Mac
La politica e i criminali sono la stessa cosa..
(Score: 2) by Runaway1956 on Wednesday March 10 2021, @11:27PM (6 children)
I don't think I actually agree with you, but your thinking (on this subject) is good. While you can't go wrong by pointing fingers at Microsoft, I think Adobe shares a lot of the blame.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by aristarchus on Thursday March 11 2021, @01:04AM (5 children)
I know, Runaway, I know.
(Score: 2) by Runaway1956 on Thursday March 11 2021, @01:09AM (4 children)
LOL, you get away with pretending to think, all the while spouting your partisan nonsense.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by aristarchus on Thursday March 11 2021, @01:16AM (3 children)
And here I thought that you thought that you thought that you agreed with me! Who is the partizan now, mon frere?
(Score: 2) by Runaway1956 on Thursday March 11 2021, @02:24AM (2 children)
Don't you "Mon Furrie" ME, you pervert!
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @09:14PM
now this is what I come here for! you two or two like you exchanging such mental barbs.
Maybe you guys sit in my seat up in the theatre 2nd level and we can call you Statler and Waldorf.
(Score: 0) by Anonymous Coward on Friday March 12 2021, @02:19AM
No pictures though!
(Score: 2, Funny) by Anonymous Coward on Wednesday March 10 2021, @10:55PM
It's for the good of mankind.
(Score: 4, Funny) by Frosty Piss on Wednesday March 10 2021, @11:02PM (8 children)
The only Adobe product I still use is Photoshop, because Gimp isn’t yet quite up to doing complex print related things. Hopefully Gimp will get there. Also, I despise SAS...
(Score: 1, Interesting) by Anonymous Coward on Thursday March 11 2021, @02:07AM (7 children)
Gimp and Photoshop do different things. The closest FOSS to Photoshop currently is Krita. https://krita.org/en/ [krita.org]
(Score: 1, Insightful) by Anonymous Coward on Thursday March 11 2021, @03:50AM (2 children)
Isn't Krita more of a competition to Illustrator?
(Score: 2) by Frosty Piss on Thursday March 11 2021, @04:08AM (1 child)
I think so.
(Score: 2) by DannyB on Thursday March 11 2021, @05:37PM
At times I wonder if people even understand the difference between photoshop and illustrator. Or raster and vector graphics.
If a lazy person with no education can cross the border and take your job, we need to upgrade your job skills.
(Score: 2) by Freeman on Thursday March 11 2021, @05:49PM (2 children)
Gimp "is a free and open-source raster graphics editor" and was initially released in 1996. https://en.wikipedia.org/wiki/GIMP [wikipedia.org] Photoshop "is a raster graphics editor developed and published by Adobe Inc." and was initially released in 1990. https://en.wikipedia.org/wiki/Adobe_Photoshop [wikipedia.org]
The biggest difference is that one is free and open-source, while the other is proprietary. Also, professionals tend to use Photoshop. Certainly due to a large number of factors, but I imagine a lot of it is due to the fact that open-source was this geeky thing in the past. Also, Adobe has thrown boat loads more money at the problems / solutions for their user base than Gimp could ever dream.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Freeman on Thursday March 11 2021, @05:58PM
Looking at Krita, it's also a raster graphics editor. It does seem to be a bit more user-friendly compared to Gimp, especially with regards to use of a Wacom or other digital art tablet/device. https://en.wikipedia.org/wiki/Krita [wikipedia.org]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @08:10PM
(Score: 2) by Freeman on Thursday March 11 2021, @06:06PM
The most interesting thing I found is that Krita just released a beta version for Android. That could be very interesting on the likes of a Samsung Tablet with an S-Pen. Certainly massively cheaper than an iPad with an Apple Pencil or a Wacom Cintiq. I tried getting my wife into digital drawing, but she never came around to the idea. Not that she's done much in that area recently, anyway.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Informative) by meustrus on Thursday March 11 2021, @04:47AM
Look, anybody that cares about security vulnerabilities knows what arbitrary code execution means. The ways a particular flaw enables that can be interesting at times.
But when I see a story like this, I have one question: what is the attack vector? Seriously. Is this a flaw in some networking aspect of the program? Or do I need to open a specially crafted file?
It's impossible to know what your exposure is when these blurbs don't say whether I need to be careful about email attachments (like I'm not already), or uninstall the program.
(for this story, it doesn't particularly matter to me because I don't even use these Adobe products. However, this has been a trend in security reporting on this site in general)
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 3, Insightful) by Dr Spin on Thursday March 11 2021, @08:13AM (1 child)
Surely Windows systems are vulnerable by definition?
Warning: Opening your mouth may invalidate your brain!
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @09:50AM
Wouldn't it be more concise to state: Adobe plagues Window users?
(Score: 0) by Anonymous Coward on Thursday March 11 2021, @01:09PM
"plague" - a word used in a headline to gain clicks only to connect to a story that says the issue they are mitigating has been no big deal in the wild