Naked Security Naked Security

Patch time! Adobe issues unexpected ‘critical’ fix for Photoshop CC

Adobe's issued an urgent fix for two critical vulnerabilities affecting Photoshop Creative Cloud (CC) for Windows and macOS.

Barely a week on from Adobe’s scheduled monthly patch excitement, the company is back with an urgent fix for two critical vulnerabilities affecting Photoshop Creative Cloud (CC) for Windows and macOS.
This probably qualifies them as unscheduled (i.e. unexpected) rather than out-of-band (usually reserved for vulnerabilities that are being actively exploited), but Photoshop CC users should still apply them within a reasonable timeframe.
The vulnerable versions are Photoshop CC 2018 v19.1.5 and earlier and Photoshop CC 2017 v18.1.5 and earlier, on both Windows and macOS.
The updated versions are Photoshop CC 2018 v19.1.6 and Photoshop CC 2017 v18.1.6. The vulnerabilities are referenced as CVE-2018-12810 and CVE-2018-12811 under Adobe’s identifier APSB18-28. Updates are applied via Help > Updates.
Reported to Adobe by Fortinet’s Kushal Arvind Shah, the flaws have not yet been revealed in detail beyond the fact they involve remote code execution (RCE) memory corruption triggered by a malicious file.
Explains Adobe’s security bulletin:

Successful exploitation could lead to arbitrary code execution in the context of the current user.

Because of this the fixes are rated ‘critical’ despite having a priority rating of only 3, which in Adobe’s view means that:

This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

Photoshop CC’s last significant fix was issued in May to address CVE-2018-4946 although last week’s patch bundle included one, CVE-2018-5003, which patched a flaw in the Creative Cloud Desktop Application installer for Windows (v4.5.0.324 and earlier).
If patching Photoshop CC sounds like work, try Flash Player for size. For anyone masochistic enough to still be running it, during 2018 they’ve found themselves fielding 19 CVEs (including a crop fixed last month) – and it’s only August.