Adobe Patch Day: Malware smuggling in Reader, Illustrator and more
Adobe's March patch day brings updates to close code smuggling vulnerabilities in Illustrator, Reader, and other programs.
(Image: heise medien)
In March, Adobe is delivering security updates for eight programs on its Patch Day. These close security vulnerabilities, some of which Adobe classifies as critical. Attackers can use them to smuggle in malware or escalate their privileges.
Adobe's Patch Day overview lists the eight security advisories for the individual products. In Adobe Commerce, Commerce B2B, and Magento Open Source, the developers are closing 19 security vulnerabilities. Among them are several cross-site scripting vulnerabilities, one of which narrowly misses the CVSS classification as a critical risk and allows for privilege escalation or bypassing security measures. In total, Adobe classifies six of them as critical threats.
It's a similar situation with Illustrator. Several vulnerabilities allow the injection and execution of arbitrary code; Adobe classifies five of the seven vulnerabilities as critical. In Acrobat DC, Acrobat Reader DC, and Acrobat 2024, there are three security vulnerabilities, two of which allow code smuggling and have been classified as critical. Those using Substance 3D Stager should apply the updates to close the six security vulnerabilities considered critical, through which attackers can smuggle in malware.
Adobe: Further updates close security vulnerabilities
However, software updates also fix partially critical vulnerabilities in the Adobe DNG Software Development Kit (SDK). In Adobe Premiere and Premiere Pro, there was only one critical leak to seal. Adobe is fixing nine security vulnerabilities still classified as "important" in Substance 3D Painter. In Adobe Experience Manager (AEM), developers are also closing 33 cross-site scripting security leaks in March, although these only achieve a CVSS score of 5.4. Deviating from the "medium" risk rating according to CVSS, Adobe classifies these vulnerabilities as "important".
Videos by heise
IT administrators and users of Adobe software should apply the updates promptly. In February, Adobe closed security vulnerabilities in nine programs on Patch Day.
(dmk)
