Welcome to the second patch Tuesday of 2023. On this romantic holiday, Microsoft and Adobe have released their latest security patches as Valentine’s gifts for us all. Take a break from your regularly scheduled activities (or Pwn2Own Miami
) and join us as we review the details of their latest security offerings.
Adobe Patches for February 2023
For February, Adobe released nine patches addressing 28 CVEs in Adobe Photoshop, Substance 3D Stager, Animate, InDesign, Bridge, FrameMaker, Connect, and After Effects. A total of 21 of these were reported by ZDI vulnerability researcher Mat Powell. Probably the most interesting fix is for PhotoShop
. This patch fixes five bugs, three of which are rated Critical. An attacker could get arbitrary code execution if they can convince a user on an affected system to open a malicious file. This is the same scenario for Premier Rush
, which corrects two Critical-rated code execution bugs. The Animate
patch also fixes three similar code execution bugs. The fix for Adobe Bridge
fixes five Critical-rated code execution bugs plus two memory leaks. After Effects
also has a memory leak to go along with three code execution bugs. The patch for FrameMaker
also contains a mix of code execution and memory leak fixes.
The patch for Adobe Connect
fixes a security feature bypass bug, although Adobe doesn’t provide any further info on what’s being bypassed. The fix for InDesign
corrects a denial of service caused by a NULL pointer deref. Finally, the fix for Adobe Substance 3D Stager doesn’t actually address any new CVEs. However, Adobe is updating third-party libraries used by the 3D modeling tool.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for February 2023
This month, Microsoft released 75 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; .NET Core and Visual Studio Code; 3D Builder and Print 3D; Microsoft Azure and Dynamics 365; Defender for IoT and the Malware Protection Engine; and Microsoft Edge (Chromium-based). This is in addition to Edge CVEs previously released this month plus some third-party fixes that are now being shipped for Microsoft products. A total of eight of these CVEs were submitted through the ZDI program.
Of the patches released today, nine are rated Critical and 66 are rated Important in severity. This volume is relatively typical for a February release. However, it is unusual to see half of the release address remote code execution (RCE) bugs.
None of the new CVEs released this month are listed as publicly known, but there are three bugs listed as being exploited in the wild at the time of release.