The April update contains all the necessary patches that need to be applied as soon as possible. Fortunately, there are no reports of any of the vulnerabilities being exploited in the wild, but cybercriminals are known to weaponize flaws quickly.
More about the Adobe Bridge Vulnerabilities
Adobe fixed the following vulnerabilities in its Bridge product designed to help users work with multiple creative assets in a streamlined manner:
- CVE-2021-21093, CVE-2021-21092: critical memory-corruption flaws described as arbitrary code execution flaws;
- CVE-2021-21094, CVE-2021-21095: critical out-of-bounds write flaws that can cause arbitrary code execution;
- CVE-2021-21091: an important out-of-bounds read flaw eventually causing information disclosure;
- CVE-2021-21096: an from improper authorization bug allowing privilege escalation.
The Critical Vulnerabilities in Photoshop
CVE-2021-28548 and CVE-2021-28549 are two critical vulnerabilities, both described as buffer-overflow flaws that could cause arbitrary code execution.
“Adobe has released updates for Photoshop for Windows and macOS. These updates resolve multiple critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user,” the official Adobe advisory says.
The Critical Vulnerability in Adobe Digital Editions
This vulnerability is known as CVE-2021-21100, or a privilege-escalation problem that could cause arbitrary file-system write. Digital Editions is an e-Book reader software designed to acquire, manage, and read e-books and other digital publications.
The vulnerability can enable an attacker to force the app to overwrite any file on a system as a privileged user.
The RoboHelp Vulnerability
Adobe addressed one important issue in RoboHelp, a platform for creating technical articles and how-to tutorials. Tracked as CVE-2021-21070, the vulnerability is an uncontrolled search path element eventually allowing privilege escalation attacks.
All of the vulnerabilities should be patched within 72 hours to ensure cybercriminals don’t have time to weaponize them against organizations.