Adobe Reader/Adobe Acrobat Updater May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1014319
|
|
SecurityTracker URL: http://securitytracker.com/id?1014319
|
|
CVE Reference: CAN-2005-1624
(Links to External Site)
|
Date: Jun 28 2005
|
Impact: Root access via local system, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Adobe Advisory
|
Version(s): Adobe Acrobat and Adobe Reader 7.0 and 7.0.1
|
Description: A vulnerability was reported in Adobe Reader and Adobe Acrobat in the updater function. A local user may be able to gain elevated privileges.
The updater elevates pre-existing Safari Frameworks folder permissions for all users when Adobe Reader or Acrobat updates are downloaded.
If there is no pre-existing Safari Frameworks folder, then the updater will create a new Frameworks folder with elevated permissions
of all users.
The vendor credits John C. Welch with reporting this vulnerability.
|
Impact: A local user may be able to gain elevated privileges.
|
Solution: The vendor has issued a fixed version (7.0.2), available at:
http://www.adobe.com/support/downloads/
|
Vendor URL: www.adobe.com/support/techdocs/331711.html (Links to External Site)
|
Cause: Access control error
|
Underlying OS: UNIX (OS X)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 28 Jun 2005 03:30:27 -0400
Subject: http://www.adobe.com/support/techdocs/331711.html
|
> Updater elevates folder permissions (Acrobat and Adobe Reader on Mac OS)
>
> Advisory Name : Adobe Acrobat and Adobe Reader Updater elevated folder permissions
>
> Release Date: June 27th, 2005
>
> Product: Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 7.0.1
>
> Platform: Mac OS
>
> Vulnerability Identifier: CAN-2005-1624
|
|
