Adobe has released a security patch for Adobe Photoshop CS6 (13.0) for Windows and Macintosh. The update fixes critical vulnerabilities in Photoshop’s PNG parsing that could allow an attacker take control of an affected system.
Adobe haven’t release much informaton about the update but only mention that it fixes two buffer overflow vulnerabilities (CVE-2012-4170 and CVE-2012-0275) and that could lead to code execution. However Francis Provencher, from Protek Research Labs, who was responsible for finding one of the vulnerabilities posted more information on exploit-db.com.
The vulnerability is caused due to a boundary error in the “Standart MultiPlugin.8BF” module when processing a Portable Network Graphics (PNG) image. This can be exploited to cause
a heap-based buffer overflow via a specially crafted “tRNS” chunk size. Successful exploitation may allow execution of arbitrary code. However, to exploit the vulnerability a Photoshop user needs to be convinced to open a malicious image in the editor.
Adobe Photoshop CS5.1 (12.1.1) and Adobe Photoshop CS5 (12.0.5) and earlier versions for Windows and Macintosh are not affected by these vulnerabilities.