Indian cyber agency alerts users of multiple bugs in Adobe products
The Indian Computer Emergency Response Team (CERT-In) on Thursday issued an advisory over multiple vulnerabilities in Adobe products that could help hackers infiltrate into computer systems.
The bugs were reported in Adobe products like InDesign (along with earlier versions for Windows and macOS), InCopy, Illustrator, Bridge and Animate (and earlier versions for Windows and macOS).
“Multiple vulnerabilities have been reported in Adobe products which could allow an attacker to gain elevated privileges, execute arbitrary code, write arbitrary files on the file system and cause memory leak on the targeted system,” said CERT-In which comes under the Ministry of Electronics and Information Technology (MeitY).
These vulnerabilities, according to the national cyber-security agency, exist in Adobe products due to “improper Input Validation, improper authorisation, heap-based buffer overflow, out-of-bounds Write, out-of-bounds read and use after free flaws”.
An attacker could exploit these vulnerabilities by persuading the victim to open a specially crafted file or application, the advisory read.
Successful exploitation of these vulnerabilities could allow an attacker to gain elevated privileges, execute arbitrary code, write arbitrary files on the file system and cause memory leak on the targeted system.
CERT-In advised users to install appropriate software updates as part of the Adobe security updates.
The cyber-security agency also reported multiple vulnerabilities in Citrix Application Delivery Management (ADM) products which could allow a remote attacker to cause security bypass and denial of service conditions on the targeted systems.
“This vulnerability exists in Citrix ADM due to improper access control. A remote attacker could exploit this vulnerability by sending a specially-crafted request to corrupt the system and reset the administrator password at the next device reboot,” according to CERT-In.
Successful exploitation of this vulnerability could allow a remote attacker to bypass security and cause improper access control on an affected device, the agency added.