Happy
Pi Day, and welcome to the third patch Tuesday of 2023 and the final patch Tuesday before Pwn2Own Vancouver. Take a break from your regularly scheduled activities and join us as we review the details of the latest security offerings from Microsoft and Adobe.
Adobe Patches for March 2023
For March, Adobe released eight patches addressing 105 CVEs in Adobe Photoshop, Experience Manager, Dimension, Commerce, Substance 3D Stager, Cloud Desktop Application, and Illustrator. A total of 77 of these bugs were reported through the ZDI program. This is the largest Adobe update in quite some time. The patch for
Cold Fusion is listed as under active exploit. It fixes three bugs, including a Critical-rate code execution bug that rates a CVSS 9.8. This patch receives a deployment priority of 1 from Adobe as well.
The patch for
Dimension is the largest of the bunch, with nearly 60 CVEs addressed by that patch alone. The update for
Substance 3D Stager is also heft with 16 bugs fixed, many of which could lead to arbitrary code execution. The
Experience Manager patch fixes 18 bugs including several cross-site scripting (XSS) and open redirects.
The patch for
Commerce includes a fix for an unauthenticated file system read. If you’re using the platform, a disclosure like this could prove costly. The updates for
Photoshop and
Illustrator address many open-and-own bugs that could lead to code execution at the level of the current user. The patch for
Creative Cloud fixes a single, Critical-rated code execution bug.
None of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. With the exception of Cold Fusion, Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for March 2023
This month, Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure. This is in addition to four Github and two TPM CVEs that were previously released and are now being shipped for Microsoft products. Two of these CVEs were submitted through the ZDI program.
Of the patches released today, six are rated Critical and 67 are rated Important, and one is rated Moderate in severity. This volume seems to be the “new normal” for Microsoft releases. However, like we saw last month, remote code execution (RCE) bugs continue to dominate the release.
Two of the new CVEs are listed as under active attack at the time of release with one of those also being listed as publicly known.
www.zerodayinitiative.com
