Accessibility

Security bulletin

Workaround available for potential Photoshop Elements privilege escalation issue

Release date: November 10, 2009

Last updated: April 29, 2010

Vulnerability identifier: APSB09-17

CVE number: CVE-2009-3489

Platform: Windows

Summary

A moderate vulnerability has been identified in Adobe Photoshop Elements versions 8.0 and 7.0. The vulnerability could allow a user with valid login credentials and/or physical access, who successfully exploits the vulnerability, to execute arbitrary commands with elevated privileges. Adobe is not aware of any exploits in the wild for the issue. It is recommended that users update their installations using the instructions provided below.

Affected software versions

Photoshop Elements 8.0
Photoshop Elements 7.0

Solution

For Photoshop Elements version 7 users, this issue is resolved in the Photoshop Elements 7.0.3 update, available here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=4610.

Adobe recommends Photoshop Elements (PSE) version 8 users login as an Administrator to the machine on which the application has been installed and follow the steps below to mitigate this potential issue:

  1. Go to the Start Menu.
  2. Click run.
  3. Type in "cmd".
  4. Hit Enter / click OK.
  5. For PSE8
    Copy and paste the following command: sc sdset AdobeActiveFileMonitor8.0 D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
  6. Hit Enter.
  7. You should get a response stating "[SC] SetServiceObjectSecurity SUCCESS".

NOTE: This command should be run after PSE has been launched at least once. The initial launch of PSE sets the service to automatic. If this command is run before the initial launch, PSE may fail to set the service to run automatically. Changing the service to automatic will require an administrative account after running the command.

Severity rating

Adobe categorizes this as a moderate issue and recommends that users follow the instructions above for their product installations to mitigate this issue.

Details

A moderate vulnerability has been identified in Adobe Photoshop Elements versions 8.0 and 7.0.  The vulnerability could allow a local user, who successfully exploits the vulnerability, to execute arbitrary commands with elevated privileges by altering service permissions.  This vulnerability has been publicly published (CVE-2009-3489). Adobe is not aware of any exploits in the wild for the issue. Valid login credentials and/or physical access to a computer is required for service permissions to be altered. It would not be possible to exploit this issue from a remote source. It is recommended that users update their installations using the instructions provided above.

Revisions

April 29, 2010 - Information on Photoshop Elements version 7.0.3 added.
November 10, 2009 - Bulletin released.