'Highly critical' flaw found in Photoshop

Stephen Withers
Friday, 27 April 2007 07:35

Your IT - Home IT

Secunia has publicised a "highly critical" security flaw in Photoshop CS2 and CS3. Other versions and even other programs may also be affected.

Attributed to 'Marsu,' the problem is that malformed bitmap files (including .BMP, .DIB and .RLE) can trigger a stack-based buffer overflow. A maliciously-crafted file can take advantage of this vulnerability to execute arbitrary code.

Marsu has posted a sample exploit that runs Windows' calculator program when the specially-crafted image file is opened in Photoshop. Given that there's a common codebase for the Mac and Windows versions of Photoshop, it is likely that the flaw could be exploited on both platforms.

It is also possible that Photoshop's routines for handling other types of files have similar flaws. Now-patched flaws in both Windows and Apple's QuickTime allowed exploits to be hidden in JPEG, GIF and bitmap files, among others. Furthermore, other Adobe applications may use the same routines as Photoshop.

Until Adobe issues a patch, the recommendation is that users avoid opening bitmap files of uncertain parentage in Photoshop.