Adobe released security patches for 50 flaws affecting six products, including a zero-day flaw in Reader that has been exploited in the wild.
Adobe has released security updates that address 50 vulnerabilities affecting its Adobe Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver products.
Adobe fixed 23 CVEs in Adobe Reader, 17 of which have been rated as Critical.
One of these flaws, tracked as CVE-2021-21017, is a heap-based buffer overflow issue that affects the Adobe Reader. The flaw is known to be actively exploited in the wild to achieve remote code execution on the vulnerable computer.
The flaw was anonymously reported to Adobe, the IT giant was informed that the vulnerability has been “exploited in the wild in limited attacks targeting Reader users on Windows.”
Adobe also addressed 18 vulnerabilities in Magento, seven of which have been rated as Critical.
Only three of these issues can be exploited by unauthenticated attackers without admin privileges. The flaws include reflected and stored XSS bugs, and an IDOR issue that can allow an attacker to access restricted resources.
Successful exploitation of some of the above issues could potentially lead to arbitrary code execution at the level of the current process.
The software vendor also fixed two Out-Of-Bounds (OOB) write vulnerabilities in the Illustrator product that could lead to code execution. The IT giant patched an Out-Of-Bounds (OOB) write vulnerability in the patch for Animate and an Important info disclosure issue in Dreamweaver. The company also fixed five critical flaws in Photoshop that could allow code execution.
“Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.” reported ZDI. “A total of 14 of these bugs came through the ZDI program.”
To read the original article:
https://securityaffairs.co/wordpress/114422/security/adobe-reader-buffer-overflow.html