Adobe security updates for August 2021 address a total of 29 flaws, including critical vulnerabilities in Magento and important issues in Adobe Connect:
Multiple critical vulnerabilities could be exploited by attackers to gain arbitrary code execution. Magento has also released updates to fix 26 vulnerabilities, including ten pre-authentication vulnerabilities in Magento that can be exploited by an unauthenticated attacker. A remote attacker could exploit some of these vulnerabilities to gain code execution and take over the e-store.
At the time of this writing experts are not aware of attacks in the wild exploiting the above vulnerabilities, anyway administrators are recommended to update their installs as soon as possible.
Adobe also released an update for Adobe Reader that addresses 26 flaws, most of these are Out-Of-Bounds (OOB) Reads, but there are also some Use-After-Free (UAF), OOB Write, stack exhaustion, and memory corruption bugs addressed.
“One interesting bug being fixed here is CVE-2020-9697, which was found by ZDI Vulnerability Analysis Manager Abdul-Aziz Hariri. The reliable info disclosure leak appears to have existed for more than a decade. We’ll tweet out the proof-of-concept demonstration for this one tomorrow. Yes – the demo is short enough to fit in a tweet.” states the zero-day initiative.
Another interesting issue is a CVE-2020-9712 that could allow attackers to bypass HTML parsing mitigations within Acrobat Pro DC. The flaw could be triggered by an attacker to parse HTML documents remotely from within Acrobat. Adobe also released security fixes for a privilege escalation bug in Adobe Lightroom.
(SecurityAffairs – hacking, Adobe)