May, 2020: Patch Monday: 2 Adobe Out of Band Updates

Welcome to this May Patch Monday Bulletin. This month there are patches from Adobe, Apple, Google, and Mozilla. The good news this month is that there are no known attacks on products that have updates available. Adobe published an out of band update for Premiere Rush, Premiere Pro, Audition, and Character Animator. Of those products, Character Animator is the only one with a critical vulnerability. These products are all listed as priority 3 due to the fact they are not traditionally targeted by attackers but this also means that they may not be managed to the same level as widely used Adobe products. Take time this month to see if these products are being used in the environment and update as necessary. Adobe released updates for Acrobat/Reader and DNG SDK during the normal release date. Acrobat/Reader is a Critical Priority 2 update so it should be prioritized appropriately. In late April Adobe released out of band critical updates for Magento, Illustrator, and Bridge. Pay special attention to Magento since that is the only Priority 2 update. Chrome and Firefox should be reviewed next since numerous vulnerabilities are fixed and browsers are typically great targets for attackers. Thunderbird has numerous vulnerabilities but as usual these vulnerabilities are mitigated due to the fact that scripting is disabled. Interesting to note this month, Apple released updates for iTunes for Windows but there are no details available.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

CVE-2020-9617

Adobe Premiere Rush

1.5.8 and earlier

5/19/2020

Information Disclosure

Important Priority 3: Update at admin’s discretion

CVE-2020-9618

Adobe Audition

13.0.5 and earlier

5/19/2020

Information Disclosure

Important Priority 3: Update at admin’s discretion

CVE-2020-9616

Adobe Premiere Pro

14.1 and earlier

5/19/2020

Information Disclosure

Important Priority 3: Update at admin’s discretion

CVE-2020-9586

Adobe Character Animator

3.2 and earlier

5/19/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe DNG Software

1.5 and?earlier

5/12/2020

Arbitrary Code Execution, Information Disclosure

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Acrobat and Reader

Continuous 2020.006.20042 and earlier

Classic 2017 2017.011.30166 and earlier

Classic 2015 2015.006.30518 and earlier

5/12/2020

Denial of Service, Arbitrary Code Execution, Security Bypass, Information Disclosure

Critical Priority 2: Update within 30 days

Multiple CVE’s

Adobe Magento

Commerce

2.3.4 and earlier

2.2.11 and earlier

Enterprise 1.14.4.4 and earlier

Community 1.9.4.4 and earlier

Open Source 2.3.4 and earlier

2.2.11 and earlier

4/28/2020

Arbitrary Code Execution, Information Disclosure, Security Bypass, Privilege Escalation

Critical Priority 2: Update within 30 days

Multiple CVE’s

Adobe Illustrator

24.0.2?and? earlier

4/28/2020

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Bridge

10.0.1 and earlier

4/28/2020

Arbitrary Code Execution, Information Disclosure

Critical Priority 3: Update at admin’s discretion

No Details Yet

iTunes for Windows

Windows 7 and later

5/21/2020

No Details Yet

Update after testing

Multiple CVE’s

Google Chrome

Before 83.0.4103.61

5/19/2020

Use After Free, Security Bypass

Update after testing

Multiple CVE’s

Mozilla Firefox

Before 76/ESR 68.8

5/5/2020

Denial of Service, Security Bypass, Information Disclosure, Arbitrary Code Execution

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 68.8

5/5/2020

Spoofing, Denial of Service, Information Disclosure, Arbitrary Code Execution

Update after testing