Adobe fixes “critical” security flaws in Illustrator, After Effects

Software maker Adobe released urgent security updates on Tuesday to fix code execution vulnerabilities in widely deployed Illustrator and After Effects products.

The patches, scheduled as part of Adobe’s Patch Tuesday release cycle, address a range of arbitrary code execution and memory leak vulnerabilities that could expose data to attacks by malicious hackers.

The most serious of the vulnerabilities has been patched in Adobe Illustrator, the popular vector graphics design program available for macOS and Windows systems.

In an advisory, Adobe rated the Illustrator flaw as “critical” with a CVSS Base Score of 7.8. The company described bug CVE-2022-23187 as a buffer overflow affecting Illustrator 2022 version 26.0.3 (and earlier) on Windows and macOS machines.

Adobe strongly urges users to upgrade to Illustrator 2022 version 26.1.0.

[ READ: Adobe Joins Security Patch Tuesday Frenzy ]

Adobe, based in San Jose, Calif., issued a separate alert to warn of at least four critical flaws that haunt users of After Effects, another popular software product used in creative motion graphics projects.

The quartet of bugs are all described as stack-based buffer overflows that could allow computer takeover attacks.

“Successful exploitation could lead to the execution of arbitrary code in the context of the current user,” Adobe warned, before urging users to apply patches available on Windows and macOS systems.

A third Adobe bulletin provides details about a solitary memory leak issue in Adobe Photoshop. The Photoshop bug, rated “important”, is available on macOS and Windows platforms.

Adobe said it had no information to suggest any of these bugs were exploited in the wild before patches became available.

Related: Adobe Joins Security Patch Tuesday Frenzy

Related: Adobe warns of critical flaws in Magento, Connect

Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years of experience in the field of computer security and technology trends. Ryan has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox and Kaspersky GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s career as a journalist includes signings to major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the non-profit organization Security Tinkerers and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine:
Key words:

Comments are closed.