A mere two weeks after its most recent set of security patches, Adobe has issued another 14 security bulletins covering 92 CVE-listed bugs.
Nonetheless, Adobe’s repairs apparently represent planned maintenance rather than an out-of-band release, even though October’s Patch Tuesday – the second Tuesday of the month – has come and gone.
“While we strive to release regularly scheduled updates on Patch Tuesday, occasionally these regularly scheduled security updates are released on non-Patch Tuesday dates,” a company spokesperson said.
Affected software includes: After Effects, Audition, Bridge, Character Animator, Prelude, Lightroom Classic, Illustrator, Media Encoder, Premiere Pro, Animate, Premiere Elements, InDesign, XMP Toolkit SDK, and Photoshop.
Coincidentally, in conjunction with its MAX 2021 event, Adobe said Photoshop and Illustrator are now available in limited form for the web as beta software. The web apps allow collaborators to interact with Photoshop and Illustrator documents without a Creative Cloud subscription or local copies of Adobe’s software.
The patches include 61 critical bugs, many of which allow arbitrary code execution:
- After Effects (Windows): 11 CVES, 9 critical, 2 important.
- Audition (Windows, macOS): 9 CVEs, 6 critical, 3 important.
- Bridge (Windows): 9 CVEs, 9 critical.
- Character Animator (Windows, macOS): 8 CVEs, 3 critical, 3 important, 2 moderate.
- Prelude (Windows): 9 CVEs, 7 critical, 2 important.
- Lightroom Classic (Windows): 1 CVE, 1 critical.
- Illustrator (Windows): 5 CVEs, 2 critical, 3 important.
- Media Encoder (Windows, macOS): 6 CVEs, 4 critical, 2 important.
- Premiere Pro (Windows, macOS): 6 CVEs, 3 critical, 3 important.
- Animate (Windows): 10 CVEs, 9 critical, 1 important.
- Premiere Elements (Windows, macOS): 7 CVEs, 5 critical, 2 important.
- InDesign (Windows, macOS): 3 CVEs, 2 critical, 1 important.
- XMP Toolkit SDK (Windows, UNIX, macOS iOS, Android): 5 CVEs, 4 critical, 1 important.
- Photoshop (Windows, macOS): 3 CVEs, 2 critical, 1 moderate.
This is a significantly larger set of problems to deal with than Adobe’s October Patch Tuesday dump of six bulletins addressing 10 CVEs.
“It’s unusual for Adobe to release so many patches out of cycle (meaning not on patch Tuesday) – especially when there are so many patches in different products,” said Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, in an email to The Register.
“The release also shows how a bug in one product can be shared through a vendor’s entire offering. Many different products are listed with very similar bugs. Since almost all of these patches could result in remote code execution, definitely test and deploy them as soon as you are able.”
Adobe says it’s not aware of any exploitation of these flaws in the wild.
Give it time. ®