Photoshop executes injected code
Scott Laurie has discovered a vulnerability in Adobe's Photoshop CS3, After Effects CS3 and Photoshop Album Starter Edition that attackers can use to inject trojans using manipulated images. Security specialist Kevin Finisterre has also reported the flaw. No updates that remedy the flaw have yet been released.
Laurie writes that the Adobe products in question do not check the headers of image files when processed, but merely assumed that the values are valid. As a result, buffer overflows can occur, allowing execution of any injected code. In his security advisory, Laurie provides some sample code of a specially crafted BMP file to demonstrate the vulnerability in Photoshop Album Starter Edition 3.2 under Windows XP SP2.
The flaw can be exploited when the software opens manipulated files. Photoshop Album Starter Edition also automatically searches removable media, such as USB sticks, when they are connected to the computer allowing manipulated files to inject malicious code as soon as the USB stick is plugged in. Apparently, this attack succeeds whenever the computer is running – even when it is locked.
Up to now, Adobe has not provided any updated software. Because Laurie has provided demonstration code that exploits the flaw, criminals can easily create images that inject malicious code onto user systems. Users are therefore advised to refrain from opening BMP files with the programs affected from any source that is not trustworthy until Adobe has released updates.
- Adobe Unchecked Overflow, Scott Laurie's (c0ntex) security advisory at Full Disclosure
- Re: Adobe Unchecked Overflow, Kevin Finisterre's security advisory at Full Disclosure