Security bulletin
Security Bulletin for Adobe Photoshop
Release date: May 8, 2012
Last updated: June 4, 2012
Vulnerability identifier: APSB12-11
Priority: 3
CVE number: CVE-2012-2027, CVE-2012-2028, CVE-2012-2052
Platform: Windows and Macintosh
Summary
Adobe released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system.
Note that Adobe Photoshop CS6 (13.0) for Windows and Macintosh addresses these vulnerabilities. No update is required for users of Adobe Photoshop CS6 (13.0) for Windows and Macintosh.
Affected software versions
Adobe Photoshop CS5.1 (12.1) and earlier versions for Windows and Macintosh
Solution
Adobe has released Adobe Photoshop CS5 (12.0.5) and Adobe Photoshop CS5.1 (12.1.1) to address the vulnerabilities highlighted in this security bulletin.
Adobe recommends Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) customers update their product installations by following the instructions provided in the the technote:
http://helpx.adobe.com/photoshop/kb/security-update-photoshop.html.
Priority and Severity ratings
Adobe categorizes these updates with the following priority ratings:
Product |
Updated Version |
Platform |
Priority Rating |
| Adobe Photoshop |
CS5 (12.0.5) |
Windows and Macintosh |
3 |
| Adobe Photoshop |
CS5.1 (12.1.1) |
Windows and Macintosh |
3 |
These updates address critical vulnerabilities in the software.
Details
Adobe released security updates for Adobe Photoshop CS5 (12.0) and Adobe Photoshop CS5.1 (12.1) for Windows and Macintosh. These updates address vulnerabilities that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. Adobe Photoshop CS6 addresses these vulnerabilities. A malicious file must be opened in Photoshop CS5.1 and earlier for Windows and Macintosh by the user for an attacker to be able to exploit these vulnerabilities. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Photoshop. Note that Adobe Photoshop CS6 (13.0) for Windows and Macintosh addresses these vulnerabilities. No update is required for users of Adobe Photoshop CS6 (13.0) for Windows and Macintosh.
This upgrade resolves a use-after-free TIFF vulnerability that could lead to code execution (CVE-2012-2027, Bugtraq ID 52634, which references: www.securityfocus.com/bid/52634/).
This upgrade resolves a buffer overflow vulnerability that could lead to code execution (CVE-2012-2028).
These updates resolve a stack-based buffer-overflow vulnerability in the Collada .DAE file format that could lead to code execution (CVE-2012-2052, Bugtraq ID 53464, which references: www.securityfocus.com/bid/53464/).
Acknowledgments
Adobe would like to thank the following individual and organization for reporting the relevant issue and for working with Adobe to help protect our customers:
- nine8 of Code Audit Labs of vulnhunt.com with "vulnhunt fuzzing" tool. (CVE-2012-2028)
Revisions
June 4, 2012 - Added information on CVE 2012-2052 and release of updates to Adobe Photoshop CS5 (12.0) and CS5.1 (12.1)
May 11, 2012 - Added information on update to Adobe Photoshop CS5.x.
May 10, 2012 - Corrected last affected version number.
May 8, 2012 - Bulletin released.
