Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Adobe PhotoDeluxe Java Configuration Flaw Lets Malicious Applets Obtain Directory Listings and May Allow Remote Code to Be Executed on the User's Computer
|
Date: Feb 19 2002
|
Impact: Disclosure of system information, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: A vulnerability has been reported in Adobe's PhotoDeluxe. A malicious remote applet may be able to obtain a directory listing or, in certain cases, execute arbitrary code on the user's computer.
CERT issued a vulnerability report (#116875) warning of a vulnerability in Adobe PhotoDeluxe that allows a malicious web page or
HTML email message viewed with Microsoft Internet Explorer to obtain directory listings or potentially download and execute arbitrary
code on the local system.
According to CERT, Dr. Hiromitsu Takagi reported that Java code installed by PhotoDeluxe is given
privileged access to the local system. Dr. Takagi's analysis is available here:
http://java-house.jp/~takagi/java/security/adobe-photodeluxe/
It is reported that PhotoDeluxe installs Java code and sets or prepends the CLASSPATH environment variable to include the directory
containing the code:
CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables
Because the location is specified in
CLASSPATH, applets that call the code have privileged access to the local system. Applets using the PhotoDeluxe Java code can reportedly
be scripted via Internet Explorer (IE) and used to obtain directory listings on the local system. If IE is started from within
PhotoDeluxe via a Link button, then malicious code would be able to use the PhotoDeluxe Java code to download a Java archive that
could potentially execute arbitrary code on the local
system.
For more information, see the CERT report at:
http://www.kb.cert.org/vuls/id/116875
|
Impact: A remotely supplied applet can obtain directory listings on the local system. If IE is started from within PhotoDeluxe via a Link button, then malicious code could potentially execute arbitrary code on the local system.
|
Solution: As a solution, the following recommendations are provided by CERT:
1) At a minimum, disable Active scripting and Java in the Internet
zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer to render HTML.
2)
Modify the CLASSPATH environment variable to exclude the PhotoDeluxe Java code. Note that this will reportedly break the 'Connectables'
feature of PhotoDeluxe.
|
Vendor URL: www.adobe.com/products/photodeluxe/main.html (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 18 Feb 2002 18:17:37 -0500
Subject: Adobe PhotoDeluxe does not adequately restrict Java execution
|
CERT issued a vulnerability report (#116875) warning of a vulnerability
in Adobe PhotoDeluxe that allows a malicious web page or HTML email
message viewed with Microsoft Internet Explorer to obtain directory
listings or potentially download and execute arbitrary code on the local
system.
According to CERT, Dr. Hiromitsu Takagi reported that Java code
installed by PhotoDeluxe is given privileged access to the local
system. Dr. Takagi's analysis is available here:
http://java-house.jp/~takagi/java/security/adobe-photodeluxe/
It is reported that PhotoDeluxe installs Java code and sets or prepends
the CLASSPATH environment variable to include the directory containing
the code:
CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables
Because the location is specified in CLASSPATH, applets that call the
code have privileged access to the local system. Applets using the
PhotoDeluxe Java code can reportedly be scripted via Internet Explorer
(IE) and used to obtain directory listings on the local system. If IE
is started from within PhotoDeluxe via a Link button, then malicious
code would be able to use the PhotoDeluxe Java code to download a Java
archive that could potentially execute arbitrary code on the local
system.
As a solution, the following recommendations are provided:
Disable Active scripting and Java
1) At a minimum, disable Active scripting and Java in the Internet zone
and the zone used by Outlook, Outlook Express, or any other email client
that uses Internet Explorer to render HTML.
2) Modify the CLASSPATH environment variable to exclude the PhotoDeluxe
Java code. Note that this will reportedly break the 'Connectables'
feature of PhotoDeluxe.
For more information, see the CERT report at:
http://www.kb.cert.org/vuls/id/116875
|
|
Go to the Top of This SecurityTracker Archive Page
|
