Adobe provides security updates with the Patch Day April 2022

Adobe provided important security updates at Patch Day in April. The manufacturer eliminates 78 vulnerabilities in four product families, more than 50 of these vulnerabilities are classified as critical.

Affected are Acrobat and Reader, Photoshop, After Effects as well as Adobe Commerce and Magento. According to Adobe, none of the vulnerabilities have been used for attacks so far.

Adobe has fixed 62 vulnerabilities in the PDF tools Acrobat and Acrobat Reader for Windows and macOS. Among them are 35 gaps that Adobe identifies as critical. They could be exploited with specially crafted PDF files to inject arbitrary code and run it with user privileges. In combination with an EOP (Elevation of Privilege) vulnerability, an attacker could give their code higher privileges, possibly system privileges. This can be remedied by updates for the three product generations that are still supported.

Photoshop 2021 up to version 22.5.6 and Photoshop 2022 up to version 23.2.2 for Windows and macOS contain 13 vulnerabilities. Adobe classifies all vulnerabilities as critical. To exploit one of the vulnerabilities, an attacker would have to get a user to open a crafted file with Photoshop. Updates to Photoshop 2021 22.5.7 and Photoshop 2022 23.3 eliminate the gaps.

In After Effects up to and including 18.4.5 and 22.2.1 there are two vulnerabilities that Adobe classifies as critical. These are stack-based buffer overflows. The vulnerabilities could be exploited to inject and execute code. Adobe provides updates to After Effects 18.4.6 and 22.3 versions.

Adobe Commerce is the commercial version of the open-source shop system Magento, which is still available. In both software variants, Adobe has closed a security gap (CVE-2022-24093) that has been identified as critical. Versions up to and including 2.4.3-p1 and 2.3.7-p2 are affected. Adobe provides updates that fix this vulnerability. Support for Adobe Commerce 2.3.x, which is based on PHP 7.3, will end in September 2022, for PHP 7.3 it has already expired in December 2021. Adobe therefore recommends switching to Adobe Commerce 2.4.x, which is based on PHP 7.4. However, manufacturer support for PHP 7.4 ends at the end of November 2022.