Security update available for Adobe Photoshop CC

Release date: June 16, 2015

Last updated: August 19, 2015

Vulnerability identifier: APSB15-12

Priority: See table below

CVE number: CVE-2015-3109, CVE-2015-3110, CVE-2015-3111, CVE-2015-3112

Platform: Windows and Macintosh

Summary

Adobe has released an update for Photoshop CC for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Affected software versions

Adobe Photoshop CC 2014 (15.2.2) (2014.2.2) and earlier versions for Windows and Macintosh

Solution

Adobe recommends users update their software installation via the application's update mechanism by launching the application, navigating to the Help menu, and clicking "Updates".  For more information, please reference this help page.

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

Patches for Adobe Photoshop CC 2014 (15.2.3) are also available at the following locations:

Win (32-bit): http://www.adobe.com/support/downloads/detail.jsp?ftpID=5952

Win (64-bit): http://www.adobe.com/support/downloads/detail.jsp?ftpID=5951

Mac: http://www.adobe.com/support/downloads/detail.jsp?ftpID=5950

Note: These updates will not show in the Applications & Updates section of the Creative Cloud Packager. Please download the patches directly from the links above, and use the option to “Add Offline Media” as described in the workflow documented here.

Priority and severity ratings

Adobe categorizes these updates with the following priority rating and recommends users update their installation to the latest version:

Product Updated version Platform Priority rating
Adobe Photoshop CC 2015 16.0 (2015.0.0) Windows and Macintosh 3
Adobe Photoshop CC 2014 15.2.3 Windows and Macintosh 3

These updates address a critical vulnerability in the software.

Details

Adobe has released an update for Photoshop CC for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe recommends users update their product installations to the latest version.

These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2015-3110).

These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-3109, CVE-2015-3112).

These updates resolve a heap overflow vulnerability that could lead to code execution (CVE-2015-3111).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

  • Jeremy Brown of Microsoft Vulnerability Research (CVE-2015-3109)
  • Francis Provencher of Protek Research Labs (CVE-2015-3110, CVE-2015-3111, CVE-2015-3112)

Revisions

August 18, 2015 - As of August 18, patches for Adobe Photoshop CC 2014 (15.2.3) are available via download, or via Cloud Packager for deployments in managed environments.  Please reference the Solution section of this bulletin for more details. 

August 19, 2015 - Added additional note regarding use of the Creative Cloud Packager for offline media deployments in managed environments.