Cybersecurity specialists report the detection of two severe vulnerabilities in Adobe Photoshop, one of the most popular image editing tools in the world. According to the report, the successful exploitation of these flaws would allow the deployment of buffer overflow conditions or the misapplication of security restrictions.
Below is a brief summary of the reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-28582: This flaw exists due to a limit error that remote threat actors can exploit to create a specially crafted file, trick the victim into opening it, trigger a heap-based buffer overflow, and execute arbitrary code on the compromised system.
According to cybersecurity experts, this flaw received a CVSS score of 7.7/10 and its successful exploitation could result in the total compromise of the target system.
CVE-2021-28624: Moreover, this flaw exists due to a limit error while processing Photoshop files. Remote hackers can create a specially crafted file and trick the victim into opening it, causing severe memory corruption and gaining the ability to execute arbitrary code.
Like the previous report, this vulnerability received a CVSS score of 7.7/10 and its exploitation would allow to take full control of the affected system.
According to the report, these flaws reside in the following versions of Adobe Photoshop: 20.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 22.214.171.124, 20.0.9, 20.0.10, 21.0.1, 21.0.2, 21.1, 21.1.1, 21.2, 21.2.1, 21.2.2, 21.2.3, 21.2.4, 21.2.5, 21.2.6, 21.2.7, 21.2.8, 22.1.0, 22.1.1, 22.2, 22.3, 22.3.1, 22.4 and 22.4.1.
As mentioned, flaws can be exploited by unauthenticated remote threat actors, although it is worth mentioning that Adobe has not detected active exploit attempts or the existence of a malware variant associated with an attack. Security patches to address these vulnerabilities are now available, so Photoshop users are encouraged to update as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.