Adobe has provided important security updates for five product families. The updates fix 25 security vulnerabilities, most of which are classified as critical.
At Patch Day in August, Adobe closed 25 security gaps in five program families, most of which it designated as critical. Affected are Acrobat, Acrobat Reader, Illustrator, Framemaker, Premiere Elements as well as Commerce and Magento. According to Adobe, none of the vulnerabilities have been used for attacks so far.
In short
|
software |
eliminated gaps |
classified as critical |
|---|---|---|
|
Acrobat + Reader |
7 |
3 |
|
illustrator |
4 |
2 |
|
framemaker |
6 |
5 |
|
Premiere Elements |
1 |
1 |
|
Commerce + Magento |
7 |
4 |
In the PDF tools
Acrobat
and Acrobat Reader, Adobe had already closed 22 security gaps with the quarterly updates in July. In August, the manufacturer follows up and fills another seven gaps. Adobe classifies three of them as critical. An attacker could use prepared PDF documents to inject arbitrary code that would be executed with the rights of the logged-in user. This can be remedied by updates for the three product generations that are still being maintained (Windows and macOS):
In
illustrator
security researcher Mat Powell (Trend Micro ZDI) discovered four vulnerabilities (CVE-2022-34260 to -34263). Adobe classifies two of them as critical (RCE: Remote Code Execution). Illustrator 2022 up to and including version 26.3.1 and Illustrator 2021 up to 25.4.6 are vulnerable, each for Windows and macOS. The security gaps have been closed in the new versions Illustrator 2022 26.4 and Illustrator 2021 25.4.7.
▶The latest security updates
Also in
framemaker
Mat Powell found what he was looking for on Windows. He has reported six vulnerabilities to Adobe. Adobe classifies five of these gaps as critical. Three of these RCE vulnerabilities could be exploited with crafted SVG (Scalable Vector Graphics) files. Framemaker 2019 up to and including Update 8 and Framemaker 2020 up to Update 4 are affected. Adobe has provided ZIP archives with error-corrected program libraries (DLLs), but customers have to unpack them themselves and copy them to the program directory in order to overwrite the vulnerable DLLs. After starting the program, Framemaker should be version 15.0.8 (2019) or 16.0.4 (2020).
The video editing program
Premiere Elements
2022 (version 20.0) for Windows and macOS contains a vulnerability (CVE-2022-34235) that Adobe has identified as critical. The software searches for required resources such as program libraries (DLLs) without explicitly specifying the search path. As a result, an attacker could foist crafted DLLs on the program if they can make them available in a suitable directory. An update fixes the problem.
After taking over the open source online shop solution
Magento
in 2018, Adobe derived an extended, paid edition (Adobe Commerce) from it. Magento Open Source and Adobe Commerce share the software basis and thus also their security gaps. In August, Adobe closed seven security holes in it. Adobe classifies four of these gaps as critical. Depending on the previous version installed, the software should have one of these version numbers after the due update: 2.3.7-p4, 2.4.3-p3, 2.4.4-p1 or 2.4.5 (for both variants).
The current Adobe Security Bulletins can be found on the manufacturer’s website.
