1. Home
2. Support
3. Security advisories

Security bulletin

Potential vulnerabilities in Adobe Audition

Release date: May 12, 2011

Vulnerability identifier: APSB11-10

CVE number: CVE-2011-0614, CVE-2011-0615

Platform: Windows

Summary

Critical vulnerabilities have been identified in Adobe Audition 3.0.1 and earlier versions for Windows. One of the vulnerabilities could allow an attacker, who successfully exploits the vulnerability, to run malicious code on the affected system. An attacker would need to convince a user to open a malicious binary Audition Session (.ses) file to successfully exploit the issue. The Audition Session (.ses) file format is an older format that is no longer supported with the release of Adobe Audition CS5.5. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Audition.

Affected software versions

Adobe Audition 3.0.1 and earlier versions for Windows

Solution

Adobe strongly recommends Audition users discontinue use of the Adobe Session (.ses) file format and switch to use of the XML session format. XML is a human-readable standard for electronically encoding documents with numerous benefits over binary formats. With the release of Audition CS5.5, the binary Audition Session (.ses) file format is no longer supported.

Severity rating

Adobe categorizes these as critical issues and recommends that users switch to use of the XML session format.

Details

Critical vulnerabilities have been identified in Adobe Audition 3.0.1 and earlier versions for Windows. One of the vulnerabilities could allow an attacker, who successfully exploits the vulnerability, to run malicious code on the affected system. An attacker would need to convince a user to open a malicious binary Audition Session (.ses) file to successfully exploit the issue. The Audition Session (.ses) file format is an older format that is no longer supported with the release of Adobe Audition CS5.5. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Audition.

The .ses file format is an older format that is no long supported as of the Adobe Audition CS5.5 release. Adobe has been encouraging users to switch to the XML session file format in place of the binary Audition Session (.ses) file format (see http://blogs.adobe.com/insidesound/2010/03/audition_xml_session_format.html).

This update resolves a memory corruption issue that could lead to arbitrary code execution (CVE-2011-0614).

This update resolves a memory corruption issue which can lead to arbitrary code execution (CVE-2011-0615).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

• Gjoko Krstic of Zero Science Lab (CVE-2011-0614)
• Diego Juarez, Eduardo Koch and Laura Balian from Core Security Technologies (CVE-2011-0615)