February 2024 Adobe Security Update: Over 30 Vulnerabilities Fixed Across Multiple Products, Including Critical Fixes
Last Updated | February 26, 2024
In its most recent Patch Tuesday security update, Adobe has proactively addressed a significant array of vulnerabilities, surpassing 30 in number, across a spectrum of its products. These updates underscore Adobe’s commitment to fortifying its software against emerging threats and ensuring user safety.
Critical vulnerabilities have been unearthed in several flagship products, including Adobe Acrobat and Reader, Adobe Commerce, Magento Open Source, Substance 3D Painter, and FrameMaker. The identification of such critical flaws highlights the necessity for swift action to mitigate potential risks to users and their systems.
Notably, Adobe has diligently resolved 13 vulnerabilities within Adobe Acrobat and Reader alone. These vulnerabilities span a spectrum of risks, from arbitrary code execution to application denial of service and memory leaks. Such vulnerabilities pose serious threats to system integrity and user data security.
The advisory released by Adobe underscores the urgency of these updates, emphasizing the gravity of the vulnerabilities addressed. Adobe urges users to promptly install the security update for Adobe Acrobat and Reader on both Windows and macOS platforms. Failure to do so may leave systems vulnerable to exploitation, potentially leading to severe consequences such as arbitrary code execution, application denial-of-service, and memory leaks.
By issuing these comprehensive security updates, Adobe continues to demonstrate its unwavering commitment to safeguarding users against evolving cyber threats. These proactive measures not only enhance the security posture of Adobe’s products but also inspire confidence among its user base, ensuring a safer digital experience for all.
Here is the compilation of vulnerabilities that the software vendor has resolved:
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-20726 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-20727 |
| Out-of-bounds Write (CWE-787) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-20728 |
| Use After Free (CWE-416) | Arbitrary code execution | Important | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-20729 |
| Integer Overflow or Wraparound (CWE-190) | Arbitrary code execution | Critical | 7.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-20730 |
| Use After Free (CWE-416) | Arbitrary code execution | Critical | 8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | CVE-2024-20731 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | CVE-2024-20733 |
| Use After Free (CWE-416) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-20734 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-20735 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-20736 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-20747 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-20748 |
| Out-of-bounds Read (CWE-125) | Memory leak | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2024-20749 |
Here are the vulnerabilities that have been addressed by the software firm, affecting Adobe Commerce and Magento Open Source products:
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? | CVSS base score | CVSS vector | CVE number(s) |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2024-20719 |
| Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78) | Arbitrary code execution | Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2024-20720 |
| Uncontrolled Resource Consumption (CWE-400) | Application denial-of-service | Important | Yes | Yes | 5.7 | CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H | CVE-2024-20716 |
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | Yes | Yes | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CVE-2024-20717 |
| Cross-Site Request Forgery (CSRF) (CWE-352) | Security feature bypass | Moderate | Yes | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | CVE-2024-20718 |
As per the advisory, the vulnerabilities mentioned above can only be exploited by an authenticated attacker.
The advisory states, “Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.”
Fortunately, the software vendor has not detected any attacks in the wild exploiting these vulnerabilities.
In February 2024, Microsoft’s Patch Tuesday security updates resolved a total of 72 vulnerabilities, including two actively exploited zero-days.
These vulnerabilities impact various Microsoft products and components, including Microsoft Windows and Windows Components, Office and Office Components, Azure, .NET Framework and ASP.NET, SQL Server, Windows Hyper-V, and Microsoft Dynamics.
Of these vulnerabilities, five are classified as Critical, 65 as Important, and two as Moderate in severity.
