Security updates for Photoshop and Illustrator to versions 22 and up
Overall Adobe fixed 91 security vulnerabilities in 14 products.
Adobe released a few security updates on Patch Day two weeks ago, especially for Acrobat and Reader. Now the manufacturer has closed 91 security vulnerabilities in 14 programs - 66 of these issues have been identified as critical.
Photoshop, InDesign, Premiere Pro and Elements, Illustrator, Lightroom and After Effects are affected. According to Adobe, none of the vulnerabilities have yet been used for attacks. The latest version number for several programs is now 22.0 - from After Effects to Premiere Pro.
Photoshop 2021 up to and including version 22.5.1 for Windows and macOS contain two vulnerabilities classified as critical and one that Adobe has identified as medium risk. CVE-2021-42735 and -42736 could be used to inject code and execute it with user rights. An attacker could use CVE-2021-42734 to gain higher rights. The new versions Photoshop 2021 22.5.2 and Photoshop 2022 23.0 for Windows and macOS provide a remedy.
Illustrator 2021 up to version 24.4.1 for Windows has five vulnerabilities, two of which Adobe has identified as critical. Anyone who takes advantage of CVE-2021-40746 can inject and execute arbitrary code. These vulnerabilities have been fixed in Illustrator 2022 26.0.
In InDesign up to version 16.4 for Windows and macOS, external security researchers have discovered three vulnerabilities. Two vulnerabilities (CVE-2021-42731, -42732) are considered critical because any code could be injected and executed. Updates to InDesign 17.0 eliminate the vulnerabilities. The Mac version supports Apple's M1 chip.
After Effects for Windows has 11 vulnerabilities up to version 18.4.1, of which Adobe has classified nine as critical. This could be used to inject arbitrary code and execute it with user rights. These errors have been resolved in After Effects 22.0 for Windows and macOS.
A vulnerability identified as critical (CVE-2021-40776) is in Lightroom Classic for Windows up to version 10.3. A temporary file is created in a directory with incorrectly set permissions, which gives the user higher rights. Lightroom Classic 10.4 and 11.0 for Windows and macOS no longer have this problem.
The current Adobe Security Bulletins can be found here.