Security

Adobe Patches 2 Code Execution Vulnerabilities in Photoshop CC 2017 & 2018

Hot off the discovery board is news of two important vulnerabilities that have been found in Adobe’s Photoshop CC versions 19.1.5 and prior for the 2018 edition and versions 18.1.5 and prior for the 2017 edition. The discovery of these vulnerabilities was made by a Fortinet security researcher, Kushal Arvind Shah, but nothing has been officially released in the level of detail expected for CVE vulnerabilities.

It appears that a combined update has been rolled out through the Adobe Creative Cloud for the respective editions and versions of Adobe Photoshop CC 2018 / 2017 to patch the two found vulnerabilities. The flaws are seen to impact the said versions of the software on both the Windows operating system and the Apple Mac operating system.

Adobe did release a targeted statement as part of a general security bulletin that vaguely explained the consequences of a successful exploit. According to the statement, successful exploit of the found vulnerabilities could allow a malicious attacker to execute arbitrary code under the name, authorization, and privileges of the user logged in.

On networked systems, if an administrator account is penetrated in this manner, it could pave way for serious confidentiality and integrity impact, compromising data in the process. Although this type of exploit is severe in nature, it has not been exploited as of yet and analysts do not believe that Adobe’s Photoshop CC software will be of particular interest to malicious hitmen as they rampage out to steal or defile content.

Adobe has incorporated the update into the Adobe Creative Cloud which will prompt users to carry out the patches when they see fit. System administrators have been urged especially to heed greater notice to the warning despite its lack of exploits so far. Administrator accounts are the most dangerous when left up to the arbitrary code execution vulnerability as they possess the greatest level of system wide rights. That being said, the update is not a forced one, and users can install it when they so choose.

Close