August 2022 Adobe Patch Day fixes 25 security vulnerabilities

Adobe has provided important security updates to fix 25 security vulnerabilities, most of which are classified as critical. Affected are Acrobat, Acrobat Reader, Illustrator, FrameMaker, Premiere Elements as well as Commerce and Magento. According to Adobe, none of the vulnerabilities have been used for attacks so far.

Adobe had already fixed 22 security vulnerabilities in the PDF tools Acrobat and Acrobat Reader with the quarterly updates in July. In August, the manufacturer now fixed another seven vulnerabilities. Adobe classifies three of these as critical. An attacker could use prepared PDF documents to inject arbitrary code that would be executed with the rights of the logged-in user.

Four vulnerabilities in Illustrator (CVE-2022-34260 to -34263) have been fixed. Adobe classifies two of these as critical (RCE: Remote Code Execution). Illustrator 2022 up to and including version 26.3.1 and Illustrator 2021 up to and including 25.4.6 are vulnerable, each for Windows and macOS. The security vulnerabilities have been fixed with the updates to Illustrator 2022 26.4 and Illustrator 2021 25.4.7.

Six vulnerabilities in FrameMaker for Windows have been fixed. Adobe classifies five of these vulnerabilities as critical. Three of these RCE vulnerabilities could be exploited with crafted SVG (Scalable Vector Graphics) files. FrameMaker 2019 up to and including Update 8 and FrameMaker 2020 up to Update 4 are affected. Adobe has provided ZIP archives with error-corrected program libraries (DLLs), but customers have to unpack these themselves and copy these to the program directory in order to overwrite the vulnerable DLLs. After starting the program, FrameMaker should be version 15.0.8 (2019) or 16.0.4 (2020).

The video editing program Premiere Elements 2022 (version 20.0) for Windows and macOS contains a vulnerability (CVE-2022-34235) that Adobe has classified as critical. The software searches for required resources such as program libraries (DLLs) without explicitly specifying the search path. As a result, an attacker could foist crafted DLLs on the program if they can make them available in a suitable directory. An update fixes the problem.

Magento Open Source and Adobe Commerce share the same software basis Adobe fixed seven security vulnerabilities with the August updates. Adobe classifies four of these vulnerabilities as critical. Depending on the previous version installed, the software should have one of these version numbers after the due update: 2.3.7-p4, 2.4.3-p3, 2.4.4-p1 or 2.4.5 (for both variants).