Adobe out-of-band security updates for Photoshop, Prelude, Bridge

A week after July 2020 Patch Tuesday, Adobe has released out-of-band security updates to fix thirteen vulnerabilities – twelve of which critical – in Adobe Photoshop, Bridge, Prelude, and Reader Mobile.

The good news is that none of these vulnerabilities are currently being exploited in the wild, and that most of them are in products that have historically not been a target for attackers.

Out-of-band updates

Adobe considers the update for the mobile versions of Reader for Android to be the one users and admins should implement soon, even though it fixes “just” a single information disclosure flaw.

The Adobe Photoshop updates deliver fixes for Photoshop CC 2019 and Photoshop 2020 on Windows and macOS, which resolve five critical out-of-bounds read/write issues that could lead to arbitrary code execution.

The Adobe Prelude update (for Windows and macOS) fix four out-of-bounds read/write flaws that may allow successful arbitrary code execution, and the Adobe Bridge update (for Windows and macOS) three.

Aside from the Mobile Reader update, the others are not that pressing – although they are important for individuals and organizations that work on photo and video production: Photoshop is widely used for editing images and producing digital art, Adobe Prelude is a logging tool for tagging media with metadata for searching, post-production workflows, and footage lifecycle management, and Adobe Bridge is a digital asset management app.

All of the out-of-bounds read/write vulnerabilities fixed in this round of security updates were flagged by Mat Powell of Trend Micro Zero Day Initiative and, according to ZDI’s Dustin Childs, they can be triggered if the target opens a specially crafted file (MOV, MP4, 3GP) or visits a malicious website.

Last week, Adobe fixed a wide variety of flaws in Adobe ColdFusion, Adobe Genuine Service, Adobe Download Manager, Adobe Media Encoder and Adobe Creative Cloud Desktop Application.