in

Adobe releases batch of security fixes for Framemaker, Creative Cloud, Connect

Adobe has released fixes for critical security problems impacting Framemaker, Creative Cloud, and Connect. 

In the tech giant’s standard security update, published on a monthly basis, a single vulnerability has been resolved in the document processor Framemaker. 

The bug, tracked as CVE-2021-21056, is a critical out-of-bounds read problem which leads to the execution of arbitrary code if exploited. 

A total of three critical vulnerabilities in Adobe Creative Cloud have also been resolved. The first, CVE-2021-21068, is an arbitrary file overwrite issue, whereas CVE-2021-21078 is an OS command injection security flaw. While these bugs lead to the execution of arbitrary code, the third — tracked as CVE-2021-21069 — is an improper input validation problem that can be exploited for privilege escalation. 

Adobe’s Connect software, a remote conferencing tool, has received a fix for a single, critical bug caused by improper input validation. The security flaw, tracked as CVE-2021-21085, can lead to the execution of arbitrary code. 

In addition, Adobe has patched three reflected cross-site scripting (XSS) flaws in Connect. Deemed important, the vulnerabilities — CVE-2021-21079, CVE-2021-21080, and CVE-2021-21081 — can be weaponized for the execution of arbitrary JavaScript in a browser session. 

Adobe thanked Francis Provencher and Rookuu, working with Trend Micro’s Zero Day Initiative, Sebastian Fuchs from Star Finanz, and four independent researchers for reporting the security issues.

In February, Adobe patched critical issues in software including Acrobat, Reader, Magento, and Illustrator, including buffer overflow vulnerabilities, Insecure Direct Object Reference (IDOR) security flaws, and out-of-bounds write/read bugs. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0



Source: Information Technologies - zdnet.com

Microsoft's March Patch Tuesday: Critical remote code execution flaws, IE zero-day fixed

WA Auditor-General finds control weaknesses in four state IT applications