Adobe plug gaps in ColdFusion and Media EncoderA

Adobe ColdFusion and Media Encoder

Adobe’s contribution to Patch Day in July is diverse, but unspectacular. In Flash Player, Adobe has only fixed bugs that are not security-related. The new version 32.0.0.403 is available for all platforms except for the Flash Player integrated in Internet Explorer and Edge (Edgehtml). The Flash Player is set at the end of the year.It is hardly needed on the web - at most for browser games.

Files supported for export with Adobe Media Encoder

Two vulnerabilities have been fixed in Coldfusion 2016 through Update 15 and Coldfusion 2018 through Update 9. They are considered a high risk: An attacker could gain higher privileges because Coldfusion does not respect the correct search order for Dlls (program libraries) to be called. Fixes include Update 16 for Coldfusion 2016 and Update 10 for Coldfusion 2018. In addition, the latest Java update must be installed in order to successfully arm servers against attacks.

The Creative Cloud Desktop App up to and including version 5.1 has four vulnerabilities, one of which Adobe considers critical. Vulnerability CVE-2020-9682 could be exploited to execute arbitrary write access on the file system. An attacker could delete files, overwrite them, or create new ones.

Adobe has closed three gaps in the Media Encoder. Affected are versions up to 14.2, an update to version 14.3 for Windows and macOS fixes the vulnerabilities. Two of the gaps could be used to execute smuggled code.

Application (APSB20-33), Adobe Media Encoder (APSB20-36), Adobe Genuine Service (APSB20-37), Adobe ColdFusion

A vulnerability in Adobe Download Manager 2.0.0.518 could allow CVE-2020-9688 to inject commands and execute arbitrary code. Version 2.0.0.529 is no longer vulnerable, Download Manager comes with Flash Player or Adobe Reader.

Adobe’s Genuine Service (or Genuine Integrity Service) license checker has three vulnerabilities that allow the current user to gain higher privileges. This also applies to code that it unknowingly executes, vulnerable to versions up to 6.6 for Windows and macOS. In version 7.1 the gaps are closed, the software updates automatically if there is an Internet connection.

The current Adobe Security Bulletins can be found on this page of the manufacturer.