New Photoshop 2021 version 22.5.4 and Photoshop 2022 version 23.1 available

Adobe has released security updates for 11 software titles. The updates eliminate 60 security vulnerabilities that are classified as critical.

On the last Patch Day of the year, Adobe once again provided a number of important security updates. The manufacturer closes 60 security vulnerabilities in 11 programs. Many of these loopholes are identified as critical. Affected are, among others, Photoshop, Lightroom, Premiere Pro and Rush, Experience Manager and After Effects. According to Adobe, none of the security gaps have been used for attacks so far.

Photoshop 2021 up to and including version 22.5.3 and Photoshop 2022 up to and including 23.0.2 for Windows and macOS contain two vulnerabilities classified as critical and one that Adobe has identified as a high risk. Vulnerabilities CVE-2021-43018 and CVE-2021-44184 could be used to inject code and execute it with user rights. CVE-2021-43020 is a data leak. Such a data leak is more problematic than it might sound at first: Attackers can read out memory addresses and contents and use this information to determine the memory addresses where the vulnerable program code is located. They can then use this to exploit other vulnerabilities. The new versions Photoshop 2021 22.5.4 and Photoshop 2022 23.1 for Windows and macOS provide a remedy.

Lightroom up to and including version 4.4 for Windows has a use-after-free vulnerability (CVE-2021-43753) that attackers can use to obtain higher privileges. The gap has been closed in Lightroom 5.1 for Windows and macOS.

Adobe has eliminated most of the vulnerabilities in Premiere Rush. Adobe 11 classifies 16 vulnerabilities in versions up to and including 1.5.16 for Windows as critical. An update to version 2.0 for Windows and Mac can help. Premiere Pro up to 22.0 and up to version 15.4.2 for Windows and macOS, include five vulnerabilities. One of them is considered critical. These vulnerabilities have been fixed in versions 22.1.1 and 15.4.3 for Windows and macOS.

There are eight vulnerabilities in Adobe Experience Manager (AEM) 6.5.10.0 and earlier, six of which are considered critical. The AEM Cloud Service is also affected, but updates itself automatically. A service pack brings AEM to the secured version 6.5.11.0. After Effects for Windows and macOS has ten security gaps in versions up to 18.4.2 and up to 22.0, two of which Adobe classifies as critical. This could be used to inject arbitrary code and execute it with user rights. These errors have been fixed in After Effects 18.4.3 and 22.1.1 for Windows and macOS.

Adobe has closed further security holes in Audition, Media Encoder, Dimension, Prelude and Connect. You can find more information on all updates on the Adobe Security Bulletins and Advisories webpage.