Adobe Releases May’s Security Updates Threat Alert

Adobe Releases May’s Security Updates Threat Alert

May 26, 2020 | Adeline Zhang

Overview

On May 12, 2020, local time, Adobe officially released July’s security updates to fix multiple vulnerabilities in its various products, including Adobe DNG Software Development Kit (SDK) and Adobe Acrobat and Reader.

For details about the security update, visit the following link:

https://helpx.adobe.com/security.html

Vulnerability Description

Adobe DNG Software Development Kit (SDK)

Adobe has released security updates for Adobe DNG Software Development Kit (SDK) that address 12 vulnerabilities listed in the following table:

The following updates are rated as Priority 3. (For the definition of priorities, see Adobe Priority Rating System).

Vulnerability details are as follows:

Vulnerability CategoryVulnerability ImpactSeverity LevelCVE ID
Heap overflowArbitrary code executionCritical  CVE-2020-9589 CVE-2020-9590  CVE-2020-9620  CVE-2020-9621 
Out-of-bounds readInformation disclosureImportantCVE-2020-9622  CVE-2020-9623  CVE-2020-9624  CVE-2020-9625  CVE-2020-9626  CVE-2020-9627  CVE-2020-9628  CVE-2020-9629 

For details on the vulnerability impact and remediation, refer to the security bulletin at the following link:

https://helpx.adobe.com/security/products/dng-sdk/apsb20-26.html

Adobe Acrobat and Reader

Adobe has released security updates for Adobe Flash Player that address 24 vulnerabilities listed in the following table:

The following updates are rated as Priority 2. (For the definition of priorities, see Adobe Priority Rating System).

Vulnerability details are as follows:

Vulnerability CategoryVulnerability ImpactSeverity LevelCVE ID
Null pointerDenial of serviceImportant  CVE-2020-9610
Heap overflowArbitrary code executionCritical CVE-2020-9612
Race conditionSecurity feature bypassCritical CVE-2020-9615
Out-of-bounds writeArbitrary code executionCritical CVE-2020-9597 CVE-2020-9594
Security bypassSecurity feature bypassCritical CVE-2020-9614 CVE-2020-9613 CVE-2020-9596 CVE-2020-9592
Stack exhaustionDenial of serviceImportant CVE-2020-9611
Out-of-bounds readInformation disclosureImportant CVE-2020-9609 CVE-2020-9608 CVE-2020-9603 CVE-2020-9602 CVE-2020-9601 CVE-2020-9600 CVE-2020-9599
Buffer overflowArbitrary code executionCritical CVE-2020-9605 CVE-2020-9604
Use after freeArbitrary code executionCritical CVE-2020-9607 CVE-2020-9606
Invalid memory accessInformation disclosureImportant CVE-2020-9598 CVE-2020-9595 CVE-2020-9593

For details on the vulnerability impact and remediation, refer to the security bulletin at the following link:

https://helpx.adobe.com/security/products/acrobat/apsb20-24.html

Solution

Adobe has officially released security updates to fix the preceding vulnerabilities. Users are advised to upgrade according to the time provided in the Adobe Priority Rating System.

For vulnerability details and remediation, please visit the preceding security bulletin links.

Adobe Priority Rating System

The Adobe Priority Rating System is a guideline to help our customers in managed environments prioritize Adobe security updates. We base our priority rankings on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that are in place.

RatingDescription
Priority 1This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible (for example, within 72 hours).
Priority 2This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).
Priority 3This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.
https://helpx.adobe.com/security/severity-ratings.html

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.