Adobe released a series of patches that address 59 flaws in 15 of its products, including Adobe Acrobat and Reader, Premiere Pro, InCopy, and other Adobe products. We analyzed these weaknesses and highlighted the most important vulnerabilities that ought to be fixed on priority.
Abode September Patches: Overview
In this monthly rollout, 59 security vulnerabilities have been addressed that affect both Windows and macOS.
-
32 CVEs are classified as Arbitrary Code Execution bugs
-
2 CVEs with Privilege Escalation capabilities
-
12 CVEs are linked to Arbitrary file system write/read
-
7 CVEs have Denial of Service capabilities
-
4 CVEs with Memory leak and 3 CVEs are Security feature bypass flaws.
None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.
Adobe Patch Latency Metrics
We analyzed the latency metrics for the Adobe September patched vulnerabilities and found that the patches were released on the same date of discovery (September 14, 2021) which is ideal. 41% of the CVEs got a second update released in the same month with an average latency of 6 days. These insights help us understand the approximate time that a vendor takes to deliver a fix.
Meanwhile, NVD has not disclosed any details of the Adobe vulnerabilities that were discovered this month.
Severity Score
Adobe Acrobat and Reader received fixes for 13 critical vulnerabilities. Adobe Premiere Pro, InCopy, ColdFusion, and Digital Editions received fixes for two critical vulnerabilities each. Adobe InDesign received fixes for 3 critical vulnerabilities. Adobe Premiere Elements received fixes for four critical vulnerabilities. Adobe SVG-Native-Viewer, Creative Cloud Desktop Application, Photoshop, Photoshop Elements, Genuine Service, and Experience Manager received fixes for one critical vulnerability each.
Patches are tagged Priority 2 for Adobe Acrobat and Reader, ColdFusion, and Experience Manager, while the remaining are labeled Priority 3.
Product Analysis
CWE Analysis
When analyzed based on CWE classification, we found 64% of CVEs are categorized under the 2021 CWE Top 25 Most Dangerous Software Weaknesses, making the fixes the highest priority for this month.
Table: Adobe September Patches 2021
Adobe had stated that this month’s update brings enhancements and fixes for some customer-reported issues. These disclosed vulnerabilities have some severe problems, however they all need user interactions and no public disclosure or exploitation reports.
We recommend all Adobe users to add these updates to your “Patch Now” cycle.