Photoshop CS3 Special Report: Security flaws discovered: not demonstrated to affect Macs, but may

Secunia has published two advisories indicating serious security flaws in Photoshop CS3, as well as its CS2 predecessor.

The first flaw can be exploited by a maliciously crafted PNG file (a widely used format, especially in Web publishing) and works through boundary error within the PNG.8BI Photoshop Format Plugin. Once exploited, the flaw allows the potential for execution of arbitrary code.

The second flaw is similar in that it is exploitable through a maliciously crafted bitmap-formatted image through the BMP.8BI Photoshop Format Plugin (used to handle Bitmap files). It likewise holds the potential for arbitrary code execution.

Although there is no direct mention of Mac OS X vulnerability to these flaws, it appears that Mac versions of Photoshop CS3 and CS2 are potentially affected. We are awaiting confirmation from Adobe on that front. However, the flaw has only been demonstrated on the Windows platform.

John Nack, Senior Product Manager for Adobe Photoshop told MacFixIt:

"Though Macs use essentially the same plug-ins to handle PNG and Bitmap files, the flaw has only been demonstrated under Windows."

Meanwhile, the temporary prophylactic against both flaws is to not open or use PNG or bitmap (.bmp) files from untrusted sources.

Index:

• Beta may not have to be deactivated
• Installation problems, fixes
• Release notes
• Security flaws discovered: not demonstrated to affect Macs, but may
• When the Photoshop CS3 beta expires

Resources