October 30, 2014

Adobe releases fix for Photoshop CS6 PNG parsing heap overflow

Adobe has released a security patch for Adobe Photoshop CS6 (13.0) for Windows and Macintosh. The update fixes critical vulnerabilities in Photoshop’s PNG parsing that could allow an attacker take control of an affected system.

Adobe haven’t release much informaton about the update but only mention that it fixes two buffer overflow vulnerabilities (CVE-2012-4170 and CVE-2012-0275) and that could lead to code execution. However Francis Provencher, from Protek Research Labs, who was responsible for finding one of the vulnerabilities posted more information on exploit-db.com.

The vulnerability is caused due to a boundary error in the “Standart MultiPlugin.8BF” module when processing a Portable Network Graphics (PNG) image. This can be exploited to cause
a heap-based buffer overflow via a specially crafted “tRNS” chunk size. Successful exploitation may allow execution of arbitrary code. However, to exploit the vulnerability a Photoshop user needs to be convinced to open a malicious image in the editor.

Adobe Photoshop CS5.1 (12.1.1) and Adobe Photoshop CS5 (12.0.5) and earlier versions for Windows and Macintosh are not affected by these vulnerabilities.

Adobe Finally Updates the CS5 & CS5.5 Versions of Illustrator and Photoshop to Fix Security Vulnerabilities

Three weeks ago Adobe published two security advisories describing critical vulnerabilities in the CS5 and CS5.5 versions of Illustrator and Photoshop. The original advisories recommended that users upgrade to CS6 (which they would have to pay for) and didn’t offer any patches or updates for the CS5 and CS5.5 versions. Following complaints, bad press and an outcry from users, Adobe made a U turn and promised patches in due course. Those patches have now been released.

Illustrator

The vulnerabilities present in Adobe Illustrator CS5 (15.0.x) and Adobe Illustrator CS5.5 (15.1) for Windows and Macintosh could allow an attacker who successfully exploits these vulnerabilities to take control of the affected computer. Adobe has now released Adobe Illustrator CS5 (15.0.3) and Adobe Illustrator CS5.5 (15.1.1) to address the vulnerabilities. Specifically the update addresses six separate memory corruption vulnerabilities that could be exploited to let an attacker execute arbitrary code.

Photoshop

Like Adobe Illustrator, the vulnerabilities present in Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh could allow an attacker who successfully exploits these vulnerabilities to take control of the affected computer.

Adobe has now released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. For an attacker to exploit the vulnerabilities a malicious file must be opened in Photoshop. Adobe is not aware of any attacks exploiting these vulnerabilities. The update fixes three specific problems:

  1. A use-after-free TIFF vulnerability that could lead to code execution.
  2. A buffer overflow vulnerability that could lead to code execution.
  3. A stack-based buffer-overflow vulnerability in the Collada .DAE file format that could lead to code execution.

 

 

Adobe Releases Security Bulletins for Illustrator, Photoshop, Flash Professional and Shockwave Player

(LiveHacking.Com) – Adobe has released security bulletins describing critical vulnerabilities in Illustrator, Photoshop, Flash Professional and Shockwave Player:

Illustrator

Adobe released a security upgrade for Adobe Illustrator CS5.5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Illustrator.

Photoshop

Adobe has released a security upgrade for Adobe Photoshop CS5 and earlier for Windows and Macintosh. This upgrade addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious .TIF file must be opened in Photoshop CS5 and earlier for Windows and Macintosh by the user for an attacker to be able to exploit these vulnerabilities. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop.

Flash Professional

Adobe has released a security upgrade for Adobe Flash Professional CS5.5 (11.5.1.349) and earlier for Windows and Macintosh. This upgrade addresses a vulnerability that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Flash Professional.

Shockwave Player

Adobe has released a security update for Adobe Shockwave Player 11.6.4.634 and earlier versions for Windows and Macintosh. This update addresses vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to run malicious code on the affected system.

Adobe Releases Critical Security Bulletins for Shockwave, Flash Media Server and Photoshop

(LiveHacking.Com) – Following Google’s update of Chrome to include a new version of Adobe Flash Player,  Adobe has now released additional  security bulletins listing critical and important vulnerabilities in multiple products including Shockwave, Flash Media Server and Photoshop. The full list is:

  • Adobe Shockwave Player 11.6.0.626 and earlier versions on the Windows and Macintosh operating systems
  • Adobe Flash Media Server 4.0.2 and earlier versions
  • Adobe Flash Media Server 3.5.6 and earlier versions for Windows and Linux
  • Adobe Photoshop CS5 and CS5.1 and earlier for Windows and Macintosh
  • RoboHelp 9.0.1.233 and earlier, RoboHelp 8, RoboHelp Server 9, and RoboHelp Server 8

Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, take control of an affected system, or perform a cross-site scripting attack.

Memory corruptions

With the exception of RoboHelp, all the patches fix memory corruptions which if exploited could lead to execute arbitrary code. For example, the vulnerability in Photoshop CS5 and CS5.1, for Windows and Macintosh, could be exploited with a malicious .GIF file when it is opened in Photoshop by the user.

The H Security: Scope of DLL security problem widens – Update

After HD Moore released details last week about the DLL problem under Windows, along with a testing tool, an increasing number of affected applications and their matching exploits have been reported. In addition to Firefox and Opera, vulnerable programs include such popular applications as PowerPoint, Photoshop, Dreamweaver, VLC, uTorrent and Wireshark – in each case, the current version is affected. They all use an insecure way of loading DLLs in which at an early stage the search order contains the current directory – a directory that could be on a network device.

Read the full story here.

Source:[The H Security]