Adobe has provided security updates for seven products, including Photoshop and Illustrator. The updates fix 63 security vulnerabilities, most of which are classified as critical.
At Patch Day in September, Adobe closed 63 security vulnerabilities in seven programs, most of which it designated as critical. Affected are Photoshop, Illustrator, InDesign, InCopy, Animate, Bridge and Experience Manager. Mat Powell, senior security researcher at Trend Micro ZDI, alone discovered 42 of the 63 vulnerabilities. According to Adobe, none of the vulnerabilities have been used for attacks so far.
In short
|
software |
eliminated gaps |
classified as critical |
|---|---|---|
|
animate |
2 |
2 |
|
bridge |
12 |
10 |
|
Experience manager |
11 |
no |
|
illustrator |
3 |
2 |
|
InCopy |
7 |
5 |
|
InDesign |
18 |
8th |
|
Photoshop |
10 |
9 |
|
total |
63 |
36 |
In
Photoshop
Mat Powell discovered ten vulnerabilities, nine of which Adobe classifies as critical. Photoshop 2022 up to and including version 23.4.2 and Photoshop 2021 up to and including 22.5.8 are vulnerable, each for Windows and macOS. If a user opens a specially prepared image file in Photoshop, arbitrary code can be injected and executed. This can be remedied by updates to Photoshop 2022 23.5 and Photoshop 2021 22.5.9.
In
illustrator
Mat Powell discovered three vulnerabilities (CVE-2022-38408 to -38410). Adobe classifies one of them (CVE-2022-38408) as critical (RCE: Remote Code Execution). Illustrator 2022 up to and including version 26.4 and Illustrator 2021 up to and including 25.4.7 are affected, each for Windows and macOS. The security gaps have been closed in the new versions Illustrator 2022 26.5 and Illustrator 2021 25.4.8.
▶The latest security updates
InDesign
up to version 17.3 and up to 16.4.2 for Windows and macOS has 18 vulnerabilities. Mat Powell reported five of these vulnerabilities, and Yonghui Han from Fortinet’s FortiGuard Labs discovered 12 vulnerabilities. Adobe classifies eight vulnerabilities as critical. The new versions InDesign 17.4 and 16.4.3 fix these errors.
at
InCopy
Mat Powell is once again solely responsible for uncovering the seven eliminated vulnerabilities. Adobe identifies five of these gaps as critical. The gaps are still included in versions up to 17.2 and 16.4.2 for Windows and macOS, but no longer in the new versions 17.4 and 16.4.3.
bridge
contains 12 vulnerabilities up to and including versions 12.0.2 and 11.1.3, each for Windows and macOS. Mat Powell discovered all the gaps, and Adobe classifies ten of them as critical. The solution is updates to the new versions 12.0.3 and 11.1.4.
Adobe Experience Manager
(AEM) is vulnerable to attacks in eleven places, in ten cases the manufacturer classifies the gaps as critical (RCE). Versions up to 6.5.13.0 and the AEM Cloud Service are affected. The latter is updated automatically, for version branch 6.5 Adobe provides the cleaned version 6.5.14.0. Anyone still working with AEM 6.4, 6.3 or even 6.2 should contact Adobe customer service.
And also at
animateMat Powell found two vulnerabilities that Adobe has classified as critical. Animate 2022 to 22.0.7 and Animate 2021 to 21.0.11 are vulnerable, each for Windows and macOS. The new versions Animate 2022 22.0.8 and Animate 2021 21.0.12 provide a remedy.
The current Adobe Security Bulletins can be found on the manufacturer’s website.
