Adobe Commerce Software Critical Flaws: Patch Tuesday Update
On Patch Tuesday, Adobe released a batch of critical updates covering at least twelve security problems in its Adobe Commerce software, previously known as Magento. The company also released fixes for four bugs exploitable through Adobe Experience Manager software, critical bugs in Adobe Animate leading to code execution issues for the current user and a major bug in Adobe Substance 3D Designer, risking code execution.
Code Execution and Arbitrary System Read Risks
Adobe’s critical-severity bulletin explained that successful exploitation of the Adobe Commerce software issues might lead to arbitrary code execution, arbitrary file system read, and security feature bypass. The Magento Open Source product also risks these issues. Additionally, Adobe comments that these updates address vulnerabilities rated moderate and important, exploitation of which could result in arbitrary code execution and security feature bypass.
Editorial: The Importance of Patching
Adobe Commerce software is widely deployed, making it a significant target for attackers. Given the risk of arbitrary code execution and arbitrary system read, it is essential to apply the updates for these critical-severity flaws immediately.
Moreover, delay in patching can lead to a domino effect of damages and subsequent costs to organizations. Once attackers gain control over a system, they can use it as a stepping stone to other parts of the organizational network or use it to deliver attacks to other organizations.
As a result, patching is the most effective risk mitigation strategy for vulnerabilities which allow arbitrary code execution. However, patching is often overlooked or delayed, and Cybersecurity Ventures predicts the cost of cybercrime will reach $10.5 trillion annually by 2025, with up to $255 billion due to cybercrime damages caused by missed security patches.
Philosophical Discussion: Ethics of Software Development
Organizations which deploy Adobe Commerce software should consider a fundamental question. Is software development an engineering task or a creative one?
If it is an engineering task, then the Secure Software Development Life Cycle (SSDLC) should be an essential requirement, from the design stage through testing and implementation. Any software released must undergo rigorous risk analysis and testing, and software development teams should be responsible for guaranteeing the software’s safety and overall security.
If software development is viewed as a creative task, then arguments about stifling innovation may emerge. But the security cost is high. Therefore, organizations must seek a balance between these two opposing ideas.
Advice: Best Practices for Companies
Organizations should consider a few best practices:
- Deploying effective security solutions, such as firewalls and AI-powered cybersecurity solutions, can augment organizations’ ability to detect vulnerabilities before an attacker finds them.
- Providing employee training to teach them how to detect malware and other threats better.
- Encouraging a culture of patch management whereby employees understand the importance of timely deployment of patches to avoid being a soft target for attackers.
- Holding software vendors accountable for their software security by enforcing Service Level Agreements (SLAs) around patching of known worms and viruses.
<< photo by Joao Tzanno >>
You might want to read !
- 2023 CISO Forum: Exploring Top Cybersecurity Challenges in a Virtual World – Register Now!
- “The State of App Security: 50% of Security Leaders Admit Inadequacies in Safeguarding App Secrets”
- The Implications of the Massive Zacks User Data Breach
- Microsoft’s May Patch Tuesday Update Addresses 38 Vulnerabilities, Including 2 Zero-Day Exploits
