After a light Patch Tuesday earlier this month, Adobe has issued an unexpectedly large bundle of critical security fixes for flaws affecting its Magento, Bridge and Illustrator products.
These might look out of band but in fact Adobe often staggers its patches throughout the month.
Nevertheless, with a total of 35 CVEs to fix in this update, including 24 described as ‘critical’, it’s likely the company has been saving up this patching haul from its bug bounty programme for some time.
Users will be pleased to have them, however, given how many can be exploited remotely to compromise a target system and are given high CVSS ratings.
Unfortunately, there appear to be a few of these, with users of Bridge, a component of Adobe Creative Suite, getting the most work to do. There are 17 fixes, of which 14 are critical, collectively identified as APSB20-19. The vulnerabilities affect version 10.0.1 and earlier for Windows and updates to Bridge version 10.0.4 for both Windows and macOS.
The different versions of the Magento ecommerce platform, Open Source and Enterprise (previously known as Community and Commerce) offers fixes for 13 CVEs, including six rated critical in APSB20-22, and individually listed with PRODSECBUG numbers.
Of the six critical flaws, all either allow command injection or security bypasses. The update affects Open Source version 2.3.4 and updates to 2.3.4-p2. For Magento Enterprise Edition the affected version is 18.104.22.168 and earlier and updates to version 22.214.171.124.
Finally, Illustrator 2020 gets fixes of five critical flaws in update APSB20-20. The affected version is 24.0.2 and earlier with the update taking the software to version 24.1.2.
Applying these patches isn’t window dressing – Adobe products are quickly targeted once vulnerabilities become known about.
For instance, recent attacks on Magento have included an exploit targeting an SQL injection flaw in April last year. And there’s always the tide of card skimming attacks on the platform to contend with.
It doesn’t help that many sites still run Magento 1.x, which prompted Visa to warn earlier this month that sites should be upgraded to 2.x before the software’s end-of-life in June this year and to dodge the skimming threat posed by Magecart.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.