Hi, what are you looking for?
Updates released by Adobe last week for its Illustrator product patch two vulnerabilities that could lead to arbitrary code execution, but the researcher who found them says exploitation is not easy.
By
Updates released by Adobe last week for its Illustrator product patch two vulnerabilities that could lead to arbitrary code execution, but the researcher who found them says exploitation is not easy.
According to Adobe, Illustrator 2021 and 2022 for Windows and macOS are affected by improper input validation and out-of-bounds read vulnerabilities that could lead to malicious code execution.
Adobe assigned the flaws a ‘critical’ severity rating. Based on their CVSS score, the vulnerabilities are ‘high severity’.
However, exploitation is not easy. The issues were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI) by Tran Van Khang, malware analyst in the services division of Vietnam-based cybersecurity firm VinCSS, a subsidiary of Vingroup.
Advisories published by ZDI reveal that the vulnerabilities are related to the parsing of PCX and CDR files.
The researcher told SecurityWeek that an attacker would need to send a malformed file to the targeted user and convince them to open the file using a vulnerable version of Illustrator.
In addition to the social engineering component, exploitation of the vulnerability is not easy due to the need to bypass memory protection mechanisms in Windows, such as DEP and ASLR, Tran explained.
Indeed, Adobe assigned the flaws a priority rating of 3, which indicates that the software giant does not expect them to be exploited in malicious attacks.
This is the seventh round of Illustrator updates announced by Adobe in 2022. Nearly all of the previous updates addressed critical arbitrary code execution vulnerabilities. More than 40 security holes have been patched in the product this year.
Related: Adobe Patches 63 Security Flaws in Patch Tuesday Bundle
Related: Critical Flaws in ColdFusion, Adobe Commerce
Related: Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs. (Joshua Goldfarb) 
Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder. (Marc Solomon) 
The widely believed notion that the network and the cloud are two different and distinct entities is not true. (Matt Wilson) 
Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making. (Fawaz Rasheed) 
Many previously isolated OT networks, like manufacturing, processing, distribution, and inventory management, have now been woven into larger IT networks. (John Maddison) Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...
OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...
A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...
Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.
The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.
source
