Security threats Toolkit

Attack code published for 'critical' Photoshop flaw

Dawn Kawamoto CNET News.com

Published: 27 Apr 2007 12:14 BST

Exploit code that could take advantage of a "highly critical" security flaw in the most recent versions of Adobe Photoshop has been published, a security researcher reported.

The security flaw affects Adobe Photoshop CS3, as well as CS2, according to a security advisory issued by Secunia on Wednesday.

The vulnerability concerns the way Adobe Photoshop handles the processing of malicious bitmap files, such as .bmp, .dib and .rle. A malicious attacker could exploit the flaw to launch a buffer overflow attack. That buffer overflow would then allow the intruder to take over a user's system.

Although a security researcher has published code to demonstrate how to exploit the vulnerability, Secunia has yet to detect any malicious use of the code, said Thomas Kristensen, Secunia's chief technology officer.

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

"There are no active exploits out there yet, but any attacks will be limited," Kristensen said. "Photoshop is primarily used by advertising agencies and image editors and not a lot of private individuals."

Until Adobe Systems develops a fix, Secunia advises users to forgo opening bitmap files where the source of the file is not clear or verifiable.

A researcher named Marsu is credited with discovering the vulnerability.

Adobe, meanwhile, issued a statement saying it has been notified of the potential Photoshop security flaw and is investigating the issue.

Adobe recently released Photoshop CS3, which is part of its larger Creative Suite 3 product line, or next-generation design and web applications. Adobe noted that it will update customers on its Photoshop CS3 investigation as it learns more.