Adobe fixes critical flaws in Media Encoder and After Effects

After fixing a fat pile of critical security flaws as part of last week’s Patch Tuesday update, Adobe has come back with two more that need urgent attention.

This is what’s called an out of band update, which means that a vulnerability is too risky or likely to be exploited to leave to the next scheduled update.

The first is in the Windows and macOS versions of the After Effects graphics software and affects anyone running version 16.1.2 and earlier.

Identified as CVE-2020-3765 after being reported to Adobe only days ago, the company offers little detail on the vulnerability itself beyond stating that the update:

Resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.

Assuming that this flaw can be triggered merely by opening a booby-trapped data file – for example, by opening an email attachment or downloading a file from a poisoned website – you should apply the patch as soon as you can.

The second is also an out-of-bounds write weakness, this time in Adobe Media Encoder, affecting Windows and macOS versions 14.02. Identified as CVE-2020-3764, this requires similar current user access.

There is no evidence that either of these flaws is being exploited in the wild, but you never know, hence the need to patch now.

The update

The fix for After Effects (APSB20-09) is to upgrade to version 17.0.3. For Media Encoder (APSB20-10) it’s version 14.0.2.

It’s unusual for Adobe to issue out of band updates. Excluding the later than usual patching of a slew of flaws last October, the last was three emergency fixes for ColdFusion the month before that.

Despite the inconvenience, this is to be applauded. The sooner a critical is patched, the sooner everybody stops worrying about it.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.