A week after Patch Tuesday, Adobe drops security fixes for six offerings
Adobe failed to release security updates on March 2020 Patch Tuesday, but has pushed them out this Tuesday, for Acrobat and Reader, Photoshop, ColdFusion, Experience Manager, Bridge, and Genuine Integrity Service.
41 vulnerabilities in all have been patched, 29 of which are considered critical and 11 important. None of them are under active exploitation.
The heftiest updates are those for Photoshop (CC 2019 and 2020) and Acrobat and Reader (DC, 2017 and 2015) for Windows and macOS.
The Photoshop updates fix 16 vulnerabilities that could be exploited for arbitrary code execution in the context of the current user and 6 that could lead to disclosure of information.
The Acrobat and Reader updates contain fixes for 8 flaws that could be exploited for code execution, 3 for information disclosure and 1 for escalating privileges on compromised systems.
Users of the ColdFusion web-application development platform should also update as soon as possible to plug two holes: one that could allow an arbitrary file read from the Coldfusion install directory and another that could lead to arbitrary code execution of files located in the webroot or its subdirectory.
ColdFusion versions 2016 and 2018 for all platforms are affected, but ColdFusion servers deployed with the recommended lockdown installer are not impacted by these flaws.
Adobe Bridge updates for Windows and macOS fix 2 two critical flaws, the Adobe Genuine Integrity Service update for Windows one insecure file permissions vulnerability that could be used for privilege escalation, and the Adobe Experience Manager updates (available for all platforms) plug a Server-side request forgery (SSRF) flaw that could lead to sensitive information disclosure.