Vulnerability closed in Google Picasa 3.6
Google's Picasa image management and editing software contains a hole that allows attackers to compromise Windows computers. According to Microsoft's David Weston, who discovered the bug, the security vulnerability (CVE-2011-2747) is caused by an error in the way that the application handles properties of JPEG image files and could be used to execute arbitrary code on a victim's system.
For an attack to be successful, a victim must first open a specially crafted file. All versions of Picasa for Windows, up to and including 3.6 Build 105.61, are reportedly affected. The hole has been closed in Picasa 3.6 Build 105.67; the latest 3.8 branch of Picasa is not affected. All users are advised to update.
More details can be found in the TechNet security advisory; Google's own release notes do not mention that the fix has been incorporated. The latest version of Picasa is available to download from picasa.google.com.
- Microsoft Vulnerability Research Advisory MSVR11-008, a TechNet security advisory.