Hackers Could Exploit Photoshop Flaw in Both Windows and Macs

The latest versions of Adobe Photoshop have "highly critical" security vulnerability. An exploit code that could manipulate this flaw has been released, according to a security researcher.

In its security advisory on April 25, 2007 Secunia noted that the security flaw makes an impact on Adobe Photoshop CS3, and also CS2. The flaw is in Photoshop's processing of bitmap files that include BMP, RLE and DIB thereby making way for malicious coders to attack with buffer overflow. With this, the attacker gains control of a system.

In a buffer overflow attack, a hacker intentionally causes a program to make an error. This allows the hacker to insert and execute his own code.

Although there is an exploit code, which the security researcher has demonstrated in exploiting the flaw, Secunia has still to find any adverse use of the exploit code, said Thomas Kristensen, chief technology officer at Secunia. ZDNet.co.uk published Kristensen's statement on April 27, 2007.

The exploit is not active as yet but the number of attacks would be limited, Kristensen said. This is primarily because only advertising agencies and image editors use Photoshop and not many private users, he reasoned.

Marsu a researcher discovered the flaw. Marsu has issued a sample exploit that opens Windows calculator program when the specially designed graphic file is opened in Photoshop software. Since Windows and Mac versions of Photoshop have a common code base it is possible that attackers would exploit the flaw on both operating systems.

It is also likely that the routines of Photoshop for handling other kinds of files have alike flaws. Flaws in Windows and Apple's QuickTime, which are now patched, enabled exploits to hide in GIF, JPEG and bitmap files. In addition, other applications in Adobe may use the same Photoshop's routines.

Meanwhile, Adobe has said that it is aware of the Photoshop security hole and is probing the issue. Recently, Photoshop released Photoshop CS3 as part of its Creative Suit 3 product line, or next generation web applications.

Until Adobe develops a patch for the flaw users are recommended not to open unknown bitmap files in Photoshop.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 5/5/2007