SoylentNews is people
SoylentNews
Submission Preview
Adobe Fixes ‘Important’ Flaws in ColdFusion, After Effects and Digital Editions
Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [Threatpost]
Time: 2020-04-14 18:27:41 UTC
Original URL: https://threatpost.com/adobe-fixes-important-flaws-in-coldfusion-after-effects-and-digital-editions/154780/ [threatpost.com] using UTF-8 encoding.
Title: Adobe Fixes ‘Important’ Flaws in ColdFusion, After Effects and Digital Editions
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
Adobe Fixes ‘Important’ Flaws in ColdFusion, After Effects and Digital Editions
Arthur T Knackerbracket has found the following story [threatpost.com]:
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy [threatpost.com]. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy [threatpost.com]. In addition, you will find them in the message confirming the subscription to the newsletter.
While Adobe’s regularly scheduled security updates were light this month, they fixed “important” severity vulnerabilities.
Adobe released security patches for vulnerabilities in its ColdFusion, After Effects and Digital Editions applications. If exploited, the flaws could enable attackers to view sensitive data, gain escalated privileges, and launch denial-of-service attacks. Each of the bugs were rated important-severity, based on CVSS rankings, marking an extremely low-volume month for Adobe bug fixes.
Overall Adobe patched flaws tied to five CVEs as part of its regularly scheduled [adobe.com] security updates, Tuesday. That number pales in comparison to March, where Adobe patched flaws [threatpost.com] in an out-of-band update tied to 41 CVEs across its products, 29 of which were critical in severity. In February Adobe patched flaws tied to 42 CVEs in its regularly scheduled updates [adobe.com], 35 of which were critical in severity.
“After several months of heavy and highly critical patches, Adobe is giving us a break of sorts,” said Jay Goodman, strategic product marketing manager, Automox, in a statement. “Although the CVEs are only marked as important, it is still a good cyber hygiene practice to get your applications patched to reduce your risk exposure.”
Three of the vulnerabilities disclosed this week were discovered in ColdFusion, [adobe.com] Adobe’s commercial rapid web-application development platform. These flaws included an insufficient input validation flaw (CVE-2020-3767 [vulmon.com]) that could enable application-level denial of service (DoS), a DLL search-order hijacking glitch (CVE-2020-3768 [mitre.org]) that could enable privilege escalation, and an improper access control (CVE-2020-3796 [vulmon.com]) which could lead to system file structure disclosure.
Affected are Update 14 and earlier of ColdFusion 2016 (users are encouraged to update to Update 15) and Update 8 and earlier of ColdFusion 2018 (fixed in Update 9). These flaws have a Priority 2 update rating, meaning that the flaws were found in a product “that has historically been at elevated risk” – but “there are currently no known exploits,” according to Adobe.
Jason Troy (CVE-2020-3767), Nuttakorn Tungpoonsup and Ammarit Thongthua from Secure D Center’s research team and security researcher Sittikorn Sangrattanapitak (CVE-2020-3768) and Raki Ben Hamouda (CVE-2020-3796) were credited with discovering the flaws.
Adobe also patched an information disclosure flaw [adobe.com] in Adobe After Effects, its digital visual effects, motion graphics, and compositing application, for Windows. The vulnerability (CVE-2020-3809) stems from an Out-of-Bounds read glitch. Matt Powell of Zero Day Initiative (ZDI) was credited with discovering the flaw.
Dustin Childs, manager with the ZDI program, told Threatpost that this flaw allows remote attackers to disclose sensitive information on affected installations of Adobe After Effects. User interaction is required to exploit this vulnerability, in that the target must visit a malicious page or open a malicious file, he said.
“The specific flaw exists within the parsing of TIF files,” Childs told Threatpost. “Crafted data in a TIF file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.”
Affected are After Effects versions 17.0.1 and earlier; a fix is available in versions 17.0.6 for Windows and macOS.
Another flaw, disclosed in Adobe Digital Editions [adobe.com], its ebook reader software program, could enable information disclosure. This vulnerability (CVE-2020-3798) stems from file enumeration (host or local network). Affected are versions of Digital Editions 4.5.11.187212 and below for Windows; users are encouraged to update to version 4.5.11.187303. Gertjan Franken and Tom Van Goethem from imec-DistriNet, KU Leuv were credited with discovering the flaws.
Microsoft issued 113 patches in a big update, unfortunately for IT staff already straining under WFH security concerns.
The Microsoft Exchange vulnerability was patched in February and has been targeted by several threat groups.
Adobe has fixed a critical flaw in its Creative Cloud Desktop Application for Windows.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1 hour ago
Get the latest breaking news delivered daily to your inbox.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
-- submitted from IRC
