Adobe fixes critical vulnerability in Photoshop CS6
Adobe has released an update for Photoshop CS6 that closes a critical heap-based buffer overflow vulnerability (CVE-2012-4170) in its popular graphics editing program. The company says that the security hole could be exploited by an attacker to take control of an affected system, but the attacker would have to convince the victim to open a specially crafted file in Photoshop.
According to a Secunia advisory, the problem is caused by a boundary error in the "Standard MultiPlugin.8BF" module when processing certain PNG image files. Both Windows and Mac OS X versions of Photoshop CS6 (13.0) are affected and upgrading to the new 13.0.1 release fixes the problem. The company says that earlier versions of Photoshop are not affected by the vulnerability.
Adobe gives the flaw a low priority saying that it is currently unaware of any attacks exploiting the vulnerability and it believes that attacks targeting Photoshop are unlikely. Despite this, all Photoshop CS6 users are advised to update to the new version as soon as possible. The hole was reported to Adobe by Francis Provencher via security specialist Secunia.
Further information about the update, including a list of non-security-related changes and bug fixes, can be found in Adobe's announcement blog post. Users can upgrade to Photoshop CS6 13.0.1 by selecting "Updates" under the Photoshop Help menu; this will launch the Adobe Application Manager, allowing users to select and install the update.
- Security update available for Adobe Photoshop CS6, security advisory from Adobe.