Adobe Patches Critical RCE Flaw in Character Animator App

A critical remote code execution flaw in Adobe Character Animator was fixed in an out-of-band Tuesday patch.

Adobe has issued an out-of-band patch for a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.

The flaw (CVE-2020-9586) is found in versions 3.2 and earlier and exists within the parsing of the BoundingBox element in PostScript. Specifically, it stems from a stack-based buffer overflow error, meaning the element lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer.

“Of the bugs fixed today, CVE-2020-9586 stands out as it could code execution if a user opens a malicious file or visits a malicious web page,” Dustin Childs, manager at Trend Micro’s Zero Day Initiative, told Threatpost. “An attacker can leverage this vulnerability to execute code in the context of the current process.”

Users are urged to update to version 3.3 for Windows and macOS. While the flaw is critical, the security bulletin is a Priority 3 update, which according to Adobe resolves vulnerabilities in a product that has historically not been a target for attackers. “Adobe recommends administrators install the update at their discretion,” according to the update.

Adobe on Tuesday also issued several updates addressing other flaws. While these other vulnerabilities are “important” in severity, they would all need to be combined with additional bugs to gain code execution, Childs told Threatpost.

One such flaw exists in Adobe Premiere Rush, its video editing software for online video creators. The software has an out-of-bounds read vulnerability (CVE-2020-9617) that could lead to information disclosure. Users are urged to update to Adobe Premiere Rush version 1.5.12 for Windows and macOS.

Another “important”-severity flaw exists in Adobe Premiere Pro, another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). Like Premiere Rush, Premiere Pro has an out-of-bounds read flaw (CVE-2020-9616) that could lead to information disclosure. Users can update to version 14.2 for Windows and macOS.

Finally, Adobe stomped out a flaw in Audition, which is its toolset offering for creating and editing audio content. The out-of-bounds read flaw (CVE-2020-9618) can enable information disclosure if exploited. A patch is available in Audition 13.0.6 for Windows and macOS.

For all of these flaws, “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to the alert. Mat Powell with ZDI was credited with discovering these flaws.

The unscheduled patches come a week after Adobe’s regularly-scheduled updates, which fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit – and addressed 36 CVEs overall.