Adobe warns of critical PageMaker, Illustrator flaws

Adobe warns of critical PageMaker, Illustrator flaws

Summary: Adobe has shipped patches for several high-risk security holes affecting its widely used PageMaker, Illustrator and GoLive 9 products.

SHARE:

Adobe warns of critical PageMaker, Illustrator flawsAdobe has shipped patches for several high-risk security holes affecting its widely used PageMaker, Illustrator and GoLive 9 products.

On the same day Microsoft released a batch of six security bulletins, Adobe joined the Patch Tuesday train with three advisories covering a total of five vulnerabilities.

The most serious is a buffer overflow in Adobe PageMaker 7.0.1 and PageMaker 7.0.2 that could allow an attacker to take control of the affected system. Adobe rates this a "critical" issue and recommends the patch is applied immediately.

Vuln.sg, the research outfit credited with the discovery, provides some technical details:

A stack-based buffer overflow occurs in Adobe PageMaker for Windows when a specially-crafted PageMaker (PMD) file that contains an overly long font-name is opened. This is due to a boundary error in MAIPM6.DLL when copying the font-name into a fixed-length stack buffer. This can be exploited to execute arbitrary code on the user's system when the user opens a malicious PMD file.

Adobe also plugged a pair of "critical" holes affecting Illustrator CS3, warning that malicious BMP, DIB, RLE, or PNG files opened in Illustrator by the user for an attacker could lead to code execution attacks.

[ SEE: Adobe confirms PDF backdoor, offers unsupported workaround ]

The third bulletin, also rated critical, from Adobe covers two vulnerabilities in GoLive 9 that could be exploited by malicious hackers to take control of a vulnerable system.

A user must be convinced to insert a malicious BMP, DIB, PNG, or RLE file into a GoLive document for an attacker to exploit these potential vulnerabilities. Users are recommended to update their installations with the instructions provided below, and Adobe encourages all customers to be cautious before opening any unknown file, regardless of which application they may be using.

An update for GoLive on Macintosh is not available at this time. In the meantime, Adobe recommends removing the PNG Plugin, or not using PNGs from untrusted sources.

Adobe is also working on a fix for a dangerous code execution flaw affecting Adobe Reader 8.1 and earlier versions, Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions, and Adobe Acrobat 3D.

Topics: Enterprise Software, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • can affect Photoshop also

    Ryan, the bulletin you mention from Adobe also references another bulletin it says is related, for Photoshop CS2 and CS3.

    It gives a similar set up update plugins, and is here: http://www.adobe.com/support/security/bulletins/apsb07-13.html.

    My own Photoshop CS3 apparently was delivered with the patch, as it had later dates for the plugins. This fits with the odd fact that the Illustrator plugin updates all had July dates. Apparently they already had been working on them, and had a clean set.

    All of this begs the question: why are these security updates not installed by the Adobe Updater, which I run regularly, and did in fact to 'catch' these updates when you mentioned them.

    The Adobe Updater surely does not - I just tried it before doing the manual procedure today. This is something worth taking up with them, or 'reporting on', imagine.

    Kind regards
    Narr vi