Patchday Adobe: Malware attacks on After Effects & Co. possible
Various Adobe applications are vulnerable. Security updates close several gaps.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
Attackers can target Adobe After Effects, Audition, Bridge, Commerce, Illustrator, InDesign, Photoshop or Substance 3D Painter. In the worst-case scenario, malicious code can get onto systems. Admins can find further information on the vulnerabilities and secured versions in the warnings linked below this message.
Dangerous security vulnerabilities
After Effects is vulnerable under macOS and Windows. The developers state that they have closed six security vulnerabilities in versions 24.6.3 and 25.0. These include several vulnerabilities that allow attackers to push malicious code onto PCs and execute it (such as CVE-2024-47441"high"). To do this, attackers must trigger memory errors (out-of-bounds) in an unspecified way.
Substance 3D Painter can also be attacked via several malicious code vulnerabilities. Issue 10.1.1 provides a remedy for all platforms. Illustrator versions 28.7.2 and 29.0.0 under macOS and Windows are equipped against malicious code attacks.
Gaps in InDesign can also allow malicious code to reach systems and compromise them. The developers have closed the vulnerabilities in versions ID18.5.3, ID18.5.4 and ID20.0. Photoshop 2023 24.7.4 and Photoshop 25.12 are also protected against the execution of malicious code (CVE-2024-49514"high").
Videos by heise
Adobe is not currently specifying how attacks could actually take place in individual cases. There are also no reports of attacks already in progress. Nevertheless, admins should update their applications promptly.
(des)
