The spotlight is once again shining on media colossus Adobe, which has had issues with a host of their widely used media software not long ago. This time, Adobe is once again experiencing software vulnerability déjà vu. Adobe has officially released a security vulnerability report detailing a critical issue with their Media Encoder product, as well as multiple other products. Adobe’s products are used by hundreds of thousands of companies, millions of individual users, have existed for over 20 years, and are regarded as the gold standard media software suite with a very wide range of uses e.g. video, audio, photography, design and more.
The Adobe Media Encoder Vulnerability
On August 17th, 2021, the official Adobe web page ‘Security Bulletin’ revealed bulletin ID APSB21-70. This is an ID code that Adobe ascribes to their security bulletins. The Adobe Security Bulletin has informed the public that a critical software vulnerability was found in the very widely used Adobe Media Encoder. The Adobe Media Encoder is an integral part of Adobe’s famous video editing platform Premiere Pro, as well as its special effects software After Effects. It is instrumental for video and audio editing conversion and compression at the final stages of a media project and is well known in the media industry.
The Technical Details
The technical details surrounding the Adobe Media Encoder vulnerability are as follows;
This is a critical vulnerability It is classified as priority 3 according to Adobe’s Priority Rating System The vulnerability allows a remote attacker to compromise a vulnerable system
The CVE (Common Vulnerabilities and Exposures) ID code for this vulnerability is CVE-2021-36070. It is a remote code execution security flaw, due to a boundary error. It is an access of memory location after end of buffer vulnerability. In an unpatched system, this vulnerability may allow a remote attacker to create a specially crafted file whereby the victim using the software can be tricked into opening it. Following this process, if the victim uses the affected software this can trigger an out-of-bounds write and finally allow a remote attacker entry into the target system.
Vulnerable Software Versions
The following versions of Adobe Media Encoder have been affected by the above software vulnerability;
15.0 15.1 15.2 15.3 15.4
Additional Adobe Product Security Vulnerabilities
Apart from the Adobe Media Encoder vulnerability, Adobe has also published other product vulnerabilities on its security bulletin. The below information is important for users that are using these products. This includes;
Adobe InCopy Adobe Photoshop Adobe Bridge Adobe Commerce and Magento Open Source
All of the above software vulnerabilities range from important to critical, and if unpatched could lead to system compromise from a remote attacker. Information about the vulnerable software versions for each respective product can be accessed via each link above.
Important Information For Users of Adobe Products
Fixes have been released for the above issues. Users of Adobe Media Encoder, InCopy, Photoshop, Bridge, Commerce, and Magento Open source should immediately check if their software is updated to the latest respective patch. The Adobe Software Suite should automatically update for all users, or display a prompt. For further information, users should refer to Adobe’s Product Security Update web page where the latest security information and guidance can be found about every Adobe product. Alternatively, users can email Adobe’s Product Security Incident Response Team at PSIRT@adobe.com for additional assistance.
