Adobe rushes to fix an emergency security flaw in Photoshop Creative Cloud
Adobe informs about critical flaws in Photoshop Creative Cloud on August 22. Researchers say that these vulnerabilities could help hackers enable remote code execution in Photoshop. Even though the release of the patches is unscheduled, both Windows and Mac OS users are advised to update their applications immediately.
IT experts note that the following versions of Adobe Photoshop CC might be affected:
- Photoshop CC 2018 version 19.1.5 and earlier;
- Photoshop CC 2017 version 18.1.5 and earlier.
Adobe security patches update Photoshop CC 2018 and Photoshop CC 2017 to 19.1.6 and 18.1.6 versions on Mac and Windows operating systems. These emergency upgrades help avoid remote code execution (RCE) identified under CVE-2018-12810 and CVE-2018-12811 numbers.
The peculiarities of memory corruption vulnerabilities
According to the researchers, if a malicious file would enter the system with a vulnerable Photoshop CC program, it could trigger the execution of a bogus code hidden inside the images. Additionally, security experts note that the remote code execution is in the context of the current user.
Successful exploitation could lead to arbitrary code execution in the context of the current user.
Adobe explicitly thanks for Kushal Arvind Shah, the security researcher at Fortinet's FortiGuard Labs for informing about two critical bugs present on Photoshop CC. Also, the IT specialist helped to resolve the issue and ensure Adobe consumer protection:
Adobe would like to thank Kushal Arvind Shah of Fortinet's FortiGuard Labs for reporting these issues and for working with Adobe to help protect our customers.
Two patches were not included in the Patch Tuesday Cycle
Even though these vulnerabilities were the only ones reported as critical, they were not included in the Patch Tuesday cycle along with other 70 ones released by Microsoft and Adobe. The issued patched covered Acrobat Reader, Experience Manager, Flash, and another flaw in the Creative Cloud.
As the bugs were listed as critical, Adobe and other security researchers encourage all users to update their programs as soon as possible to avoid potential attacks:
Adobe recommends users update their software installations via each application's update mechanism by launching each application, navigating to the Help menu, and clicking “Updates.” For more information, please reference this help page.