Accessibility

Security bulletin

Workaround available for security vulnerability caused by installing Adobe Version Cue CS3 Server on some Mac systems

Release date: May 16, 2007

Vulnerability identifier: APSB07-11

CVE number: CVE-2007-2682

Platform: Mac OS X

Affected software versions

Adobe Version Cue CS3 Server (installed as part of Adobe Creative Suite 3 Design Premium, Design Standard, Web Premium, or Web Standard editions)

Summary

When you install Adobe Version Cue CS3 Server on Mac systems that have the Mac OS X personal firewall enabled, the installer turns off the firewall to correctly set up Version Cue Server but does not turn the firewall back on at the end. This creates a potential security vulnerability.

Solution

Adobe recommends turning the personal firewall in Mac OS X back on using these instructions:

  1. From the Apple menu, select System Preferences.
  2. Click the Sharing icon, and then click the Firewall tab.
  3. Click Start.

Severity rating

Adobe categorizes this as a critical issue and recommends that affected users manually reactivate their personal firewall settings on their Mac systems.

Details

On Mac OS X, customers can turn on a personal firewall to control how Internet services communicate with their systems. During the installation of Adobe Creative Suite 3, the installer sets TCP ports 3703, 3704, 50900, and 50901, in accordance with Apple’s specification, to allow controlled access to Adobe Version Cue CS3 Server through the Mac OS X firewall service.

To be granted access to these ports, the installer must first turn off the personal firewall. Currently, it is not automatically re-activating the firewall once it sets up Version Cue CS3 Server, creating a potential security vulnerability.

The identified vulnerability, if exploited, would compromise the security of the user’s computer, potentially without the user being aware of it. Issues that could occur range from compromised data security, including access to confidential data, to execution of malicious native code. The workaround is for customers to manually turn their personal firewall on again using the instructions provided in the ‘Solution’ section.