It's July 2020, and your PC or Mac can be pwned by a dodgy Photoshop file – Adobe emits critical patch batch

Creative software slinger Adobe booked in double-digit revenues rises in its latest quarter but lowered forecasts due to conflict in Ukraine and and currency challenges. As such, Wall Street frowned and the share price went down.

The Photoshop maker reported turnover from sales of $4.39 billion for Q2 ended June 3, up 14 percent year-on-year. The vast bulk of this, some $4.07 billion, was subscription-based, something other software vendors must eye with some envy because investors love recurring revenues.

The Digital Media division, which includes Creative Cloud and Document Cloud products, jumped 15 percent to $3.20 billion, higher than analysts had estimated. The Digital Experience wing was $1.1bn, up 17 per cent, again trumping analysts' projections of $1.08 billion.

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Adobe-owned cloudy video workflow outfit Frame.io has apologized and promised to do better after a series of lengthy outages to its service, which became part of Adobe's flagship Creative Cloud in 2021.

Frame.io bills itself as "The fastest, easiest, and most secure way to automatically get footage from cameras to collaborators – anywhere in the world" because its "Camera to Cloud" approach "eliminates the delay between production and post" by uploading audio and video "from the set to Frame.io between each take." In theory, that means all the creatives involved in filmed projects don't have to wait before getting to work.

In theory. Customers say that's not the current Frame.io experience. Downdetector's listing for the site records plenty of complaints about outages and tweets like the one below are not hard to find.

Ask 1,000 CIOs whether they believe their organizations are vulnerable to cyberattacks targeting their software supply chains and about 82 percent can be expected to say yes.

Security biz Venafi engaged research firm Coleman Parkes to put that question to as many corporate IT leaders from the US, UK, France, Germany, Austria, Switzerland, Belgium, Netherlands, Luxembourg, Australia, and New Zealand.

The result was an emphatic vote of no confidence.

Open-source vector drawing package Inkscape has resolved at least one user pain point with v1.2 – multiple-page documents.

Black Hat Asia Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it's proven so effective they've found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000.

The tool is named "Cooper" – a reference to the "Cooperative mutation" technique employed by the tool.

Speaking at the Black Hat Asia conference in Singapore, PhD student Xu Peng of the Chinese Academy of Sciences – one of the tool's co-authors – explained that the likes of Word and Acrobat accept input from scripting languages. Acrobat, for example, allows JavaScript to manipulate PDF files.

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.

It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.

Of course, the US Cybersecurity and Infrastructure Security Agency (CISA) and friends note that malicious cyber actors have not stopped trying to exploit older flaws – but reckon those efforts are happening to a "lesser extent" than in the past.

Adobe Creative Cloud Experience, a service installed via the Creative Cloud installer for Windows, includes a Node.js executable that can be abused to infect and compromise a victim's PC.

Michael Taggart, a security researcher, recently demonstrated that the node.exe instance accompanying Adobe's service could be exploited by writing a simple proof-of-concept JavaScript file that spawns the Windows Calculator app.

"I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to," he explained to The Register.

Adobe had a great first quarter this year, but the real news is the losses it is predicting due to the Russo-Ukraine war, which finally gives us a sense of the financial impact of Russian pullouts on big tech.

The purveyor of Creative Cloud posted record Q1 revenue [PDF] for the period ending March 4, 2022, in which it turned over $4.26bn, equating to 9 percent year-over-year growth for the quarter. 

Segments of Adobe's operations also posted big growth in Q1: revenues in the Digital Media segment were $3.11bn, representing the same growth percentages as Adobe overall. Creative revenue grew to $2.55bn, or 7 percent YoY growth; and Document Cloud revenue hit $562m, or 17 percent YoY growth. 

Microsoft's massive April Patch Tuesday includes one bug that has already been exploited in the wild and a second that has been publicly disclosed.

In total, the Redmond giant patched over 100 bugs today, including 10 critical remote code execution (RCE) vulnerabilities.

First, though: CVE-2022-24521, which NSA and CrowdStrike security researchers reported to Microsoft, is under active exploitation. It's an elevation-of-privilege vulnerability, and it occurs in the Windows Common Log File System Driver.