No software is perfectly developed. It will have some vulnerability due to which a threat actor can cause major damage to the business and reputation of an organization. The damage basically depends upon the criticality of the vulnerability. On February 19th 2020, Adobe released an out-of-schedule patch for multiple vulnerabilities. Out of which 2 of them were categorized as critical. The vulnerabilities were reported by security researchers Francis Provencher and Matt Powell from Trend Micro Zero Day.
Insights
The first vulnerability affected the Adobe Media Encoder version 14.0 and earlier. The vulnerability CVE-2020-3764, caused arbitrary remote code execution due to out-of-bounds write flaw in the software. The out-of-bounds write flaw occurs when the software attempts to write after the end of the buffer or before the start of the buffer. This vulnerability largely affected the Microsoft Windows platform. The second vulnerability affected the Adobe After Effects version 16.2 and earlier. Similar to the first vulnerability, this software also had a security flaw in which the software attempts out-of-bounds write operations. This can allow a potential threat actor to execute arbitrary remote code execution. But in this case, the scope of execution was limited to the context of the user. This vulnerability CVE-2020-3765, affected Microsoft Windows platform.
Conclusion
Adobe had addressed nine security bugs in January 2020. These issues were found in the Adobe Illustrator CC and Adobe Experience Manager. It is very crucial to patch the security bugs as soon as possible to avoid any exploitation in the wild. These vulnerabilities clearly affect the Confidentiality and Integrity of the CIA Triad. Confidentiality is compromised when a potential threat actor performs unauthorized data access using remote code execution. Similarly, he can compromise the integrity of the data by modifying the data.
References