CVE-2022-38414 InDesign versions 16.4.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.

In the majority of cases, InDesign users are not aware of the malicious file existing on the system. The malicious file might be installed through social engineering, or in some cases, the user might unknowingly have a malicious file on the system via a drive-by-download. While InDesign does not prompt for installation through the file system, users must be cautious of where they install software from, as well as updates. Adobe recommends updating to the latest version of InDesign as soon as possible.

Adobe InDesign (CS1)

Adobe InDesign CS1 was released in 2010 and is an application for designing and editing documents. The software is compatible with a wide variety of operating systems, including Windows, macOS, and Linux. It provides a familiar interface to those who have used Adobe Creative Suite applications.
The software includes features that enable users to import and export files from their project designs or directly from other programs through XML templates, which are generated by the application itself.

Adobe InDesign and version tracking

The latest InDesign update fixes vulnerabilities that could allow a malicious file called CVE-2022-38414 to be installed on the system. This file might be installed via social engineering or through a drive-by-download. This malicious file would then have the ability to compromise the user and install spyware, ransomware, and other malicious files.
Adobe recommends updating to the latest version of InDesign immediately as this vulnerability is fixed in the newest software update, which is version 23.2.0. As mentioned earlier, in order for InDesign users to avoid this vulnerability, it is recommended that all software updates are done promptly so that users can stay up to date with their system security and avoid any potential risks of being compromised by malicious software.

Adobe InDesign CS6 HTML Files

The issue was discovered by Adobe after a user who downloaded and installed InDesign found that one of the files contained malicious code.

Adobe InDesign and the Adobe Product Security Incident Response Team (PSIRT)

InDesign does not prompt for installation through the file system. If a user is unsure of which software to install, they can visit the Adobe website to ensure that they are installing software from an official source. The PSIRT is an online support tool that allows InDesign users to see if there are any vulnerabilities or security issues with their software and provides them with advice on how to manage their risks. Users can also contact the PSIRT by phone or via email if they have any security concerns.

Adobe Acrobat and Reader

Adobe Acrobat and Reader are not the only programs that can be affected by a malicious file. Other programs that might be affected include, but are not limited to, Microsoft Word, Microsoft Project, Microsoft Visio, Microsoft OneNote, Adobe Illustrator, and Adobe InDesign.

Timeline

Published on: 09/16/2022 18:15:00 UTC
Last modified on: 09/20/2022 15:29:00 UTC

References

• https://helpx.adobe.com/security/products/indesign/apsb22-50.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38414