Threat Research

FortiGuard Labs Researcher Discovers 12 Zero-Day Vulnerabilities in Adobe InDesign

By Yonghui Han | September 16, 2022

In mid-June, 2022, I discovered and reported several zero-day vulnerabilities in Adobe InDesign to Adobe. This past Patch Tuesday, September 13, 2022, Adobe released security patches that fixed these vulnerabilities. They are identified as:

CVE-2022-28852
CVE-2022-28853
CVE-2022-28854
CVE-2022-28855
CVE-2022-28856
CVE-2022-28857
CVE-2022-30671
CVE-2022-30672
CVE-2022-30673
CVE-2022-30674
CVE-2022-30675
CVE-2022-30676

These vulnerabilities have different root causes related to one plugin of InDesign. All of these vulnerabilities are assigned a Critical or Important severity. We suggest users apply the latest Adobe patches as soon as possible. 

Affected platforms: Windows
Impacted parties: Users of Adobe InDesign 2022 version 17.3 and earlier, Users of Adobe InDesign 2021 version 16.4.2 and earlier
Impact: Multiple vulnerabilities leading to information leak or arbitrary code execution.
Severity level: Critical and Important

Vulnerability Details

Following are some details on these vulnerabilities. More information can be found on the related Fortinet Zero Day Advisory pages by clicking on the CVE links: 

CVE-2022-28852:

This Arbitrary Code Execution vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory write due to an improper bounds check.

Attackers can exploit this vulnerability to execute arbitrary code within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-28852.Arbitrary.Code.Execution for this specific vulnerability to proactively protect our customers.

CVE-2022-28853:

This Arbitrary Code Execution vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory write due to an improper bounds check.

Attackers can exploit this vulnerability to execute arbitrary code within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-28853.Arbitrary.Code.Execution for this specific vulnerability to proactively protect our customers.

CVE-2022-28854:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-28854.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-28855:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-28855.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-28856:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-28856.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-28857:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-28857.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-30671:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-30671.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-30672:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-30672.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-30673:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-30673.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-30674:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-30674.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-30675:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-30675.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-30676:

This Out-of-Bounds Read vulnerability exists in the decoding of QuarkXPress Drawing ‘QXD’ files in Adobe InDesign. Specifically, the vulnerability is caused by a malformed QXD file, which causes an out of bounds memory read due to an improper bounds check. 

Attackers can exploit this vulnerability to leak sensitive information within the context of the application via a crafted QXD file.

Fortinet previously released IPS signature Adobe.InDesign.CVE-2022-30676.Memory.Leak for this specific vulnerability to proactively protect our customers.

Fortinet Protections

Fortinet IPS customers are protected with the following signatures, which were previously released for these vulnerabilities:

  • Adobe.InDesign.CVE-2022-28852.Arbitrary.Code.Execution
  • Adobe.InDesign.CVE-2022-28853.Arbitrary.Code.Execution
  • Adobe.InDesign.CVE-2022-28854.Memory.Leak
  • Adobe.InDesign.CVE-2022-28855.Memory.Leak
  • Adobe.InDesign.CVE-2022-28856.Memory.Leak
  • Adobe.InDesign.CVE-2022-28857.Memory.Leak
  • Adobe.InDesign.CVE-2022-30671.Memory.Leak
  • Adobe.InDesign.CVE-2022-30672.Memory.Leak
  • Adobe.InDesign.CVE-2022-30673.Memory.Leak
  • Adobe.InDesign.CVE-2022-30674.Memory.Leak
  • Adobe.InDesign.CVE-2022-30675.Memory.Leak
  • Adobe.InDesign.CVE-2022-30676.Memory.Leak

In addition, FortiEDR detects and prevents the exploitation of these vulnerabilities.

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.