A security flaw in the installation of Adobes License Management Service has put customers at risk of privilege escalation attacks, according to a warning from the software maker.
An advisory from Adobe Systems Inc. said the vulnerability affects multiple products, including the widely used Adobe Photoshop CS, Adobe Creative Suite 1.0 and Adobe Premiere Pro 1.x.
Security alerts aggregator Secunia rates the flaw as “moderately critical” and warned that a successful attack could give a malicious hacker access to a vulnerable system.
According to Adobe, the vulnerability exists due to a flaw in the installation of the License Management Service, which ships with various Adobe products that require product activation.
“If exploited, an unauthorized person can exploit this to run a program with administrator privileges,” the company added.
“Adobe is not aware of any report of malicious code that exploits this vulnerability. Adobe wants to be proactive by providing the users a simple mechanism to protect their systems,” the company said.
Customers using the latest version of Photoshop (version CS2) or Adobe Creative Suite (version CS2) are not exposed to the vulnerability, which affects products running on the Windows OS platform only.
The company has provided updates with instructions on its Web site.
Multiple Macromedia Product Patches
Software developer Macromedia Inc. has released patches rated “important” for a privilege escalation vulnerability in multiple products in the Macromedia MX 2004 suite.
The bug is similar to the license management flaw patched by Adobe and affects a range of Macromedia applications, including Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director, Captivate and Contribute 2.x.
According to a Macromedia alert, Windows versions of the Macromedia installers and eLicensing client install a service with permissions that allow any member of the “Users” group to modify the service settings. This may allow local users to obtain the permissions of the “Local System” account.
“This potential vulnerability does not affect products installed on machines with a single user, and it cannot be exploited remotely,” the company said.
Hotfixes and updating instructions are available for download here.
Symantec Corrects pcAnywhere Flaw
Internet security specialist Symantec Corp. has rolled out new versions of its pcAnywhere remote control tool to fix a potentially serious security hole.
In an online advisory, Symantec warned that the flaw could be exploited by malicious, local users to gain escalated privileges.
Affected products include pcAnywhere 9.x, 10.x and 11.x.