Security bulletin

Security Bulletin for Adobe Photoshop

Release date: May 8, 2012

Last updated: August 31, 2012

Vulnerability identifier: APSB12-11

Priority: 3

CVE number: CVE-2012-2027, CVE-2012-2028, CVE-2012-2052, CVE-2012-0275

Platform: Windows and Macintosh

Summary

Adobe released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.

Note that Adobe Photoshop CS6 (13.0) for Windows and Macintosh addresses three of these vulnerabilities (CVE-2012-2027, CVE-2012-2028, CVE-2012-2052). Users of Adobe Photoshop CS6 (13.0) should update to Adobe Photoshop CS6 (13.0.1), as referenced in Security Bulletin APSB12-20, which addresses CVE-2012-0275.

Affected software versions

Adobe Photoshop CS5.1 (12.1) and earlier versions for Windows and Macintosh

Solution

Adobe has released Adobe Photoshop CS5 (12.0.5) and Adobe Photoshop CS5.1 (12.1.1) to address the vulnerabilities highlighted in this security bulletin.



Adobe recommends Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) customers update their product installations by following the instructions provided in the the technote:

http://helpx.adobe.com/photoshop/kb/security-update-photoshop.html.

Note that Adobe Photoshop CS6 (13.0) for Windows and Macintosh addresses three of these vulnerabilities (CVE-2012-2027, CVE-2012-2028, CVE-2012-2052). Users of Adobe Photoshop CS6 (13.0) should update to Adobe Photoshop CS6 (13.0.1), as referenced in Security Bulletin APSB12-20, which addresses CVE-2012-0275.



Priority and Severity ratings

Adobe categorizes these updates with the following priority ratings:

Product Updated Version Platform Priority Rating Adobe Photoshop CS5 (12.0.5) Windows and Macintosh 3 Adobe Photoshop CS5.1 (12.1.1) Windows and Macintosh 3



These updates address critical vulnerabilities in the software.

Details

Adobe released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe Photoshop CS6 addresses these vulnerabilities. A malicious file must be opened in Photoshop CS5.1 and earlier for Windows and Macintosh by the user for an attacker to be able to exploit these vulnerabilities. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop.

Note that Adobe Photoshop CS6 (13.0) for Windows and Macintosh addresses three of these vulnerabilities (CVE-2012-2027, CVE-2012-2028, CVE-2012-2052). Users of Adobe Photoshop CS6 (13.0) should update to Adobe Photoshop CS6 (13.0.1), as referenced in Security Bulletin APSB12-20, which addresses CVE-2012-0275.



This upgrade resolves a use-after-free TIFF vulnerability that could lead to code execution (CVE-2012-2027, Bugtraq ID 52634, which references: www.securityfocus.com/bid/52634/).

This upgrade resolves a buffer overflow vulnerability that could lead to code execution (CVE-2012-2028).

These updates resolve a stack-based buffer-overflow vulnerability in the Collada .DAE file format that could lead to code execution (CVE-2012-2052, Bugtraq ID 53464, which references: www.securityfocus.com/bid/53464/).

These updates resolves a buffer overflow vulnerability that could lead to code execution (CVE-2012-0275).

Acknowledgments

Adobe would like to thank the following individual and organization for reporting the relevant issue and for working with Adobe to help protect our customers:

nine8 of Code Audit Labs of vulnhunt.com with "vulnhunt fuzzing" tool. (CVE-2012-2028)

Carsten Eiram, Secunia Research (CVE-2012-0275)

Revisions

August 31, 2012 - added information on CVE-2012-0275

June 4, 2012 - Added information on CVE 2012-2052 and release of updates to Adobe Photoshop CS5 (12.0) and CS5.1 (12.1)

May 11, 2012 - Added information on update to Adobe Photoshop CS5.x.

May 10, 2012 - Corrected last affected version number.

May 8, 2012 - Bulletin released.