Adobe patches holes in Illustrator
Adobe has released an update to close two critical security holes in Illustrator CS3 and CS4. Both the Windows and the Mac OS X versions are affected. One of the holes was already discovered in early December and is based on a buffer overflow that can be triggered when processing specially crafted "Encapsulated Postscript" (eps) files. An existing exploit for this vulnerability binds a shell to network port 4444 on vulnerable computers, allowing attackers to remotely access a Windows computer. The second hole is also based on a buffer overflow.
Under Windows, the update consists of one file (
MPS.dll) which needs to be manually copied to the Illustrator installation folder. Adobe provides the required instructions in its original advisory. Under Mac OS X, a whole folder needs to be copy into the installation path. The relevant procedure can also be found in Adobe's advisory.
- Security updates available for Adobe Illustrator CS4 and CS3, advisory from Adobe.
- Critical vulnerability in Adobe Illustrator, a report from The H.