Patch now to protect against plethora of security bugs

UPDATED Adobe has released a security update that patches six critical vulnerabilities and seven other flaws in Magento Commerce and Open Source editions.

Four of the critical bugs were command injection issues, and two were security mitigation bypass flaws, revealed a security bulletin posted by Adobe yesterday (April 28).

Another four vulnerabilities found in the globally popular e-commerce platform were rated as ‘important’, and three ‘moderate’, in severity.

Exploitation of the vulnerabilities could variously lead to the execution of malicious code, disclosure of sensitive information, unauthorized access to the admin panel, signature verification bypass, and unauthorized product discounts.

Adobe has urged customers to apply the relevant updates if they are running versions 2.3.4 and earlier of the Magento Commerce or Open Source editions, 1.14.4.4 or earlier for Enterprise, and 1.9.4.4 or earlier for Community Edition.

Commerce and Open Source versions 2.2.11 and earlier also have the vulnerabilities, but Adobe discontinued support for these branches in December 2019.

Researcher thanks

Adobe acknowledged eight researchers involved in uncovering the flaws, with the researcher who goes by the Twitter handle ‘Blaklis’ the most prolific, having been involved in unearthing six flaws, including four critical bugs.

Blaklis told The Daily Swig that most critical flaws he found were nevertheless exploitable only by an attacker with “administrative access”, meaning “only trusted or compromised users” could execute malicious commands.

Asked which bug he thought most dangerous, he pointed to a pre-authenticated, stored cross-site scripting (XSS) flaw. This “allowed [the attacker] to poison a complete session and to inject arbitrary JavaScript in [all] future pages that the victim will visit – allowing [them] to retrieve confidential data from regular users/customers.”

This alone “should convince all Magento users to update as soon as possible,” he added.

This is the second time in three months that Magento has been patched for multiple serious flaws that could potentially lead to arbitrary code execution attacks, with a similar Adobe update issued in February.

And in November 2019, Adobe admitted that some users’ account information had been exposed by a flaw in Magento Marketplace, the e-commerce portal that allows web admins to customize their online stores.

Unpatched security flaws in Magento and other e-commerce platforms are regularly targeted by Magecart cybercrime outfits, which specialize in injecting checkouts with malicious code that skims payment card data.

On the same day it issued the Magento update, Adobe also released new versions of Adobe Illustrator and Adobe Bridge that patched various vulnerabilities that could lead to the arbitrary execution of malicious code.

Researchers found five critical memory corruption flaws in Illustrator. Of the 17 bugs in Bridge, 14 were critical and included use after free, out-of-bounds write, memory corruption, heap overflow, and stack-based buffer overflow issues.


This article was updated on April 30 with comments from security researcher 'Blaklis'


RECOMMENDED Severe Netsweeper zero-day leaves gaping hole in users’ networks