After fixing a fat pile of critical security flaws as part of last week’s Patch Tuesday update, Adobe has come back with two more that need urgent attention.
This is what’s called an out of band update, which means that a vulnerability is too risky or likely to be exploited to leave to the next scheduled update.
The first is in the Windows and macOS versions of the After Effects graphics software and affects anyone running version 16.1.2 and earlier.
Identified as CVE-2020-3765 after being reported to Adobe only days ago, the company offers little detail on the vulnerability itself beyond stating that the update:
Resolves a critical out-of-bounds write vulnerability that could lead to arbitrary code execution in the context of the current user.
All that tells us is that exploiting the flaw would require access to the user’s machine which shouldn’t detract from the need to patch the issue.
The second is also an out-of-bounds write weakness, this time in Adobe Media Encoder, affecting Windows and macOS versions 14.02. Identified as CVE-2020-3764, this requires similar current user access.
There is no evidence that either of these flaws is being exploited in the wild, but you never know, hence the need to patch now.
The fix for After Effects (APSB20-09) is to upgrade to version 17.0.3. For Media Encoder (APSB20-10) it’s version 14.0.2.
It’s unusual for Adobe to issue out of band updates. Excluding the later than usual patching of a slew of flaws last October, the last was three emergency fixes for ColdFusion the month before that.
Despite the inconvenience, this is to be applauded. The sooner a critical is patched, the sooner everybody stops worrying about it.