InDesign Archives

Winsage

March 12, 2025

Zero Day Initiative — The March 2025 Security Update Review

In March 2025, Adobe released seven bulletins addressing 37 Common Vulnerabilities and Exposures (CVEs) across its software products, including Acrobat Reader, Illustrator, InDesign, and Substance 3D applications. Six vulnerabilities were reported through the Zero Day Initiative program. The Acrobat Reader patch resolves multiple Critical-rated code execution vulnerabilities, while Illustrator and InDesign patches also address critical issues. The Substance 3D Sampler patch fixes seven vulnerabilities, with some classified as Critical, and the other Substance 3D applications also received updates for code execution vulnerabilities. None of the vulnerabilities were publicly known or under active attack at the time of release. Microsoft released an update addressing 56 new CVEs across its products, totaling 67 when including third-party vulnerabilities. Six are rated as Critical, and 50 as Important. Notable vulnerabilities include CVE-2025-26633, a security feature bypass in the Microsoft Management Console, and critical remote code execution vulnerabilities CVE-2025-24993 and CVE-2025-24985 linked to Windows NTFS and Fast FAT file systems. CVE-2025-24984 and CVE-2025-24991 involve information disclosure vulnerabilities, with one requiring physical access and the other needing a specially crafted VHD. Immediate attention and deployment of patches for these vulnerabilities are essential.

Winsage

February 23, 2025

WinApps: Virtualized Windows Apps On Linux, Plus Windowing

Linux users can now run the latest version of Photoshop on Linux machines with access to a dedicated mobile GPU, thanks to innovative open-source solutions. This is achieved through the WinApps project, which integrates a virtual machine into the Linux desktop using Remote Desktop Protocol, allowing Windows applications to run alongside native Linux programs. The setup requires significant effort, particularly in recognizing the GPU, but it enables heavy-duty applications to function effectively on machines like the HP Envy 16 with an Intel i7-12700H processor and 32GB of RAM. While WinApps offers substantial benefits for users relying on Adobe Creative Cloud and Microsoft Office 365, it is best suited for casual use due to potential bugs and performance issues. The development of WinApps reflects the contributions of various open-source teams, including those at Red Hat, and suggests future enhancements may improve accessibility for users.

Winsage

February 12, 2025

Microsoft takes it easy on February’s Patch Tuesday

Microsoft released a total of 63 patches in February, including six previously released ones. Two vulnerabilities, CVE-2025-21418 (CVSS 7.8) and CVE-2025-21391 (CVSS 7.1), are actively exploited and require local access and authentication for exploitation. CVE-2025-21418 affects the Windows Ancillary Function Driver for Winsock, allowing attackers to gain SYSTEM-level privileges on Windows 10, 11, and various Windows Server versions. CVE-2025-21391 affects Windows Storage, enabling local attackers to delete files under certain conditions. Two publicly known vulnerabilities, CVE-2025-21194 (CVSS 7.1) and CVE-2025-21377 (CVSS 6.5), have not yet been exploited. CVE-2025-21194 exposes PCs to potential hypervisor and secure kernel compromises, while CVE-2025-21377 risks leaking a user's NTLMv2 hash with minimal user interaction. CVE-2025-21198, rated at CVSS 9.0, allows remote code execution in high-performance computing infrastructures, requiring network access to a targeted HPC cluster. Excel users should address five patches rated at 7.8, particularly CVE-2025-21381, which has potential for remote code execution through local attack vectors. As of February 11, administrators must configure the StrongCertificateBindingEnforcement registry key on domain controllers to avoid transitioning to Full Enforcement mode by February 2025. CVE-2025-21177 (CVSS 8.7) has been fully mitigated by Microsoft. Adobe released 45 updates, with 31 addressing vulnerabilities in Adobe Commerce, and critical patches for InDesign and Illustrator. SAP issued 21 patches affecting NetWeaver and addressing cross-site scripting issues. Fortinet released security updates for various products, including a critical authentication bypass vulnerability in FortiOS and FortiProxy (CVSS 9.6).

Winsage

February 11, 2025

Zero Day Initiative — The February 2025 Security Update Review

Adobe released seven bulletins in February 2025, addressing 45 CVEs across products such as InDesign, Commerce, Substance 3D Stager, InCopy, Illustrator, Substance 3D Designer, and Photoshop Elements. The updates include: - InDesign: Seven bugs fixed, four rated Critical. - Illustrator: Three critical bugs allowing arbitrary code execution when opening malicious files. - Substance 3D Stager: One DoS bug fixed. - InCopy: One critical-rated code execution vulnerability patched. - Substance 3D Designer: One critical-rated code execution vulnerability patched. - Photoshop Elements: One important-rated privilege escalation vulnerability addressed. None of the patched vulnerabilities were publicly known or under active attack at the time of release. Microsoft released patches for 57 new CVEs affecting Windows, Office, Azure, Visual Studio, and Remote Desktop Services, totaling 67 CVEs including third-party submissions. The severity ratings are: - 3 rated Critical - 53 rated Important - 1 rated Moderate Two vulnerabilities are publicly known, and two are under active attack. Notable vulnerabilities include: - CVE-2025-21391: Windows Storage Elevation of Privilege Vulnerability allowing file deletion and privilege escalation. - CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability requiring authenticated user interaction. - CVE-2025-21376: Windows LDAP Remote Code Execution Vulnerability allowing unauthenticated remote code execution. - CVE-2025-21387: Microsoft Excel Remote Code Execution Vulnerability exploitable through the Preview Pane requiring user interaction.

Winsage

December 11, 2024

Microsoft closes 2024 with 72 fixes on final Patch Tuesday

Microsoft's Patch Tuesday update addressed 72 vulnerabilities, with CVE-2024-49138 being actively exploited, affecting the Windows Common Log File System Driver and allowing privilege escalation on Windows 10, 11, and Server 2019 and later. The most critical vulnerability, CVE-2024-49112, has a CVSS score of 9.8 but is challenging to exploit, related to the Windows Lightweight Directory Access Protocol (LDAP). Microsoft recommends blocking inbound RPCs from untrusted networks as a workaround. CVE-2024-49093, with a CVSS score of 8.8, poses risks from malicious low-privilege AppContainers. Other significant vulnerabilities include CVE-2024-49088, CVE-2024-49090, and CVE-2024-49114, all related to privilege escalation. Additionally, CVE-2024-49070 and CVE-2024-49122 involve code execution flaws. Adobe released a patch for 167 vulnerabilities, including 91 in Adobe Experience Manager, with one critical flaw. Adobe Connect fixed 22 vulnerabilities, six rated critical, while Adobe Acrobat addressed six vulnerabilities, none exceeding a CVSS score of seven. Adobe Animate had 13 vulnerabilities, all rated 7.8, and InDesign and Substance 3D Modeler each had nine issues, none surpassing a CVSS score of 7.8. Adobe Media Encoder fixed four vulnerabilities, three allowing arbitrary code execution.

Winsage

December 11, 2024

Zero Day Initiative — The December 2024 Security Update Review

In December 2024, Adobe released 16 patches addressing 167 CVEs across various products, including Adobe Experience Manager, Acrobat and Reader, Media Encoder, Illustrator, After Effects, Animate, InDesign, Adobe PDFL SDK, Connect, Substance 3D Sampler, Photoshop, Substance 3D Modeler, Bridge, Premiere Pro, Substance 3D Painter, and FrameMaker. The most significant patch resolved 91 CVEs in Adobe Experience Manager, primarily related to cross-site scripting (XSS) and one critical code execution vulnerability. Other notable patches included 22 CVEs for Connect, several code execution vulnerabilities for Acrobat, and 13 critical-rated code execution bugs for Animate. Additional patches addressed 9 CVEs each for InDesign and Substance 3D Modeler, 4 CVEs for Media Encoder, 3 CVEs for Substance 3D Sampler, and 2 CVEs each for Illustrator and Substance 3D Painter. None of the vulnerabilities were publicly known or under active attack at the time of release. Microsoft's December release included 71 new CVEs affecting Windows and its components, Office, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager, totaling 72 CVEs for the month, the largest since 2017. Among the patches, 16 were rated Critical, 54 Important, and one Moderate. Notably, CVE-2024-49138 is actively being exploited, while CVE-2024-49112 allows remote code execution via LDAP with a CVSS score of 9.8. CVE-2024-49117 permits code execution from a guest VM on Hyper-V, and CVE-2024-49063 involves deserialization vulnerabilities in the Muzic project. Organizations are advised to patch promptly to mitigate risks.

Winsage

October 9, 2024

Microsoft issues 117 patches – two under active attack

Microsoft released 117 patches on Patch Tuesday, including two actively exploited vulnerabilities: CVE-2024-43572, a critical remote code execution flaw in Microsoft's Management Console rated at 7.8, and CVE-2024-43573, a moderate-risk spoofing vulnerability in MSHTML. Additional notable patches include CVE-2024-6197 and CVE-2024-43583, both rated at 8.8, and CVE-2024-43468, a critical 9.8 remote code execution vulnerability in Microsoft Configuration Manager. Adobe addressed 52 low-priority CVEs, while SAP reported a dozen issues, including CVE-2024-41730, a 9.8-rated BusinessObjects bug.

Winsage

August 13, 2024

Zero Day Initiative — The August 2024 Security Update Review

Adobe has released 11 security bulletins addressing a total of 71 CVEs for August 2024, affecting applications such as Illustrator, Photoshop, InDesign, Acrobat, and Reader. Notably, 14 vulnerabilities were reported through the Zero Day Initiative (ZDI). Significant updates include critical code execution vulnerabilities in Adobe Commerce and InDesign, with Acrobat and Reader updates addressing concerns related to malicious PDFs. Other applications also received patches, including Photoshop, Substance 3D Stager, InCopy, Substance 3D Designer, Illustrator, Dimension, Bridge, and Substance 3D Sampler. None of the vulnerabilities are currently known to be exploited, with a deployment priority rating of 3. Microsoft has introduced 90 new CVEs across various platforms, including Windows, Office, .NET, and Azure, with a total of 102 when including third-party vulnerabilities. Among these, four were reported through the ZDI program, and one is under active exploitation. The severity ratings include seven critical, 79 important, and one moderate vulnerability. Noteworthy vulnerabilities include CVE-2024-38178 (scripting engine memory corruption), CVE-2024-38193 (Windows Ancillary Function Driver elevation of privilege), CVE-2024-38106 (Windows Kernel elevation of privilege), CVE-2024-38107 (Windows Power Dependency Coordinator elevation of privilege), and CVE-2024-38189 (Microsoft Project remote code execution). Four CVEs are publicly known, and six are actively exploited.

Winsage

August 8, 2024

Microsoft discontinues Adobe Type 1 fonts support in Windows

Microsoft has announced the deprecation of Adobe PostScript Type1 fonts, which will no longer be supported in future Windows releases. This follows Adobe's cessation of support for these fonts in January 2023 across its latest software, including Photoshop, Illustrator, and InDesign. Users are advised to remove Adobe PostScript Type1 fonts and their dependencies by navigating to Settings > Personalization > Fonts. Developers are encouraged to assess their applications for compatibility without these fonts. This change is part of a broader trend of deprecating several features in Windows Client operating systems.

Winsage

August 8, 2024

Microsoft: Windows 11 will no longer support Adobe Type 1 fonts

Microsoft has announced the discontinuation of legacy PostScript fonts in Windows 11, aligning with Adobe's retirement of PostScript Type 1 fonts in January 2023. This change affects several Adobe products, including Photoshop version 23.0, Illustrator 27.3, InDesign 18.2, and Digital Video and Audio 23.2. Users can still access older versions of Adobe software for these fonts, but Adobe has shifted to OpenType fonts compatible with both Mac and Windows. Microsoft recommends transitioning to alternative font types and provides methods for removing deprecated fonts through the Fonts settings page or File Explorer. Additionally, Microsoft plans to eliminate legacy font management in Windows 11, redirecting the Control Panel’s Fonts page to the Settings app. In 2024, Microsoft has announced the phasing out of NTLM, Direct Access, and other outdated technologies, including the complete removal of WordPad in the upcoming Windows 11 24H2 release. A workaround exists for users to retain access to WordPad by downloading a core file package.