Adobe Calls Attention to Massive Batch of Code Execution Flaws

Share This Post

Adobe on Tuesday released fixes for at least 72 security vulnerabilities across multiple products and warned that Windows and macOS users are at risk of code execution, memory leaks, and denial-of-service attacks.

The Patch Tuesday rollout addresses critical security defects in Adobe Acrobat and Reader, Illustrator, Photoshop, InDesign, Adobe Commerce, and Dimension and the company is warning that the most severe of these vulnerabilities could allow attackers to take complete control of a target machine.

Adobe documented at least 12 flaws in the widely deployed Adobe Acrobat and Reader software that could expose users to code execution, privilege escalation, and memory leaks. 

Affected versions include Acrobat DC, Acrobat 2024, and Acrobat 2020 on both Windows and macOS platforms. 

The Adobe Illustrator product was also given a major security update to cover at least 7 documented vulnerabilities on both Windows and macOS systems. Adobe said the Illustrator flaws, rated critical, also introduces code execution risks.

Here’s the raw details on the rest of the Adobe updates:

Adobe Dimension 

  • Affected Versions: Adobe Dimension 3.4.11 and earlier
  • CVE Numbers: CVE-2024-34124, CVE-2024-34125, CVE-2024-34126, CVE-2024-20789, CVE-2024-20790, CVE-2024-41865
  • Impact: Arbitrary code execution, memory leak
  • Platform: Windows and macOS
  • Recommendation: Update to Adobe Dimension Version 4.0.2

Adobe Photoshop

  • Affected Versions: Photoshop 2023: Version 24.7.3 and earlier; Photoshop 2024: Version 25.9.1 and earlier
  • CVE Number: CVE-2024-34117
  • Impact: Arbitrary code execution
  • Platform: Windows and macOS
  • Recommendation: Update to Photoshop 2023 Version 24.7.4 or Photoshop 2024 Version 25.11

Adobe InDesign 

  • Affected Versions: InDesign ID19.4 and earlier; InDesign ID18.5.2 and earlier
  • 13 documented flaws: CVE-2024-39389, CVE-2024-39390, CVE-2024-39391, CVE-2024-41852, CVE-2024-41853, CVE-2024-39393, CVE-2024-39394, CVE-2024-41850, CVE-2024-41851, CVE-2024-39395, CVE-2024-3412, CVE-2024-41854, CVE-2024-41866
  • Impact: Arbitrary code execution, memory leak, application denial-of-service
  • Platform: Windows and macOS
  • Update Recommendation: Update to InDesign ID19.5 or InDesign ID18.5.3

Adobe Bridge

  • Affected Versions: Bridge 13.0.8 and earlier; Bridge 14.1.1 and earlier
  • CVE Numbers: CVE-2024-39386, CVE-2024-39387, CVE-2024-41840
  • Impact: Arbitrary code execution, memory leak
  • Platform: Windows and macOS
  • Recommendation: Update to Bridge 13.0.9 or Bridge 14.1.2

Adobe Substance 3D Stager 

  • Affected Versions: Substance 3D Stager 3.0.2 and earlier
  • CVE Number: CVE-2024-39388
  • Impact: Arbitrary code execution
  • Platform: Windows and macOS
  • Update Recommendation: Update to Substance 3D Stager Version 3.0.3

Adobe Commerce 

  • Affected Versions: Adobe Commerce: Versions 2.4.7-p1 and earlier; Magento Open Source: Versions 2.4.7-p1 and earlier
  • CVE Numbers: CVE-2024-39397, CVE-2024-39398, CVE-2024-39399, CVE-2024-39400, CVE-2024-39401, CVE-2024-39402, CVE-2024-39403, CVE-2024-39406, CVE-2024-39404, CVE-2024-39405, CVE-2024-39407, CVE-2024-39408, CVE-2024-39409, CVE-2024-39410, CVE-2024-39411, CVE-2024-39412, CVE-2024-39413, CVE-2024-39414, CVE-2024-39415, CVE-2024-39416, CVE-2024-39417, CVE-2024-39418, CVE-2024-39419
  • Impact: Arbitrary code execution, privilege escalation, security feature bypass
  • Platform: All
  • Recommendation: Update to the latest Adobe Commerce or Magento Open Source versions

 Adobe InCopy 

  • Affected Versions: InCopy 19.4 and earlier; InCopy 18.5.2 and earlier
  • CVE Number: CVE-2024-41858
  • Impact: Arbitrary code execution
  • Platform: Windows and macOS
  • Recommendation: Update to InCopy Version 19.5 or Version 18.5.3

Adobe Substance 3D Sampler 

  • Affected Versions: Substance 3D Sampler 4.5 and earlier
  • CVE Numbers: CVE-2024-41860, CVE-2024-41861, CVE-2024-41862, CVE-2024-41863
  • Impact: Arbitrary code execution, memory leak
  • Platform: All
  • Recommendation: Update to Substance 3D Sampler Version 4.5.1

Adobe Substance 3D Designer

  • Affected Versions: Substance 3D Designer 13.1.2 and earlier
  • CVE Number: CVE-2024-41864
  • Impact: Arbitrary code execution
  • Platform: All
  • Recommendation: Update to Substance 3D Designer Version 13.1.3

Adobe said it was not aware of any of the documented vulnerabilities being exploited prior to the availability of patches.

Related: Recent Adobe Commerce Vulnerability Exploited in Wild

Advertisement. Scroll to continue reading.

Related: Adobe Issues Critical Product Patches, Warns of Code Execution Risks

Related: Adobe Ships Hefty Batch of Security Patches

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .