SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PhotoDeluxe Vendors:   Adobe Systems Incorporated
Adobe PhotoDeluxe Java Configuration Flaw Lets Malicious Applets Obtain Directory Listings and May Allow Remote Code to Be Executed on the User's Computer
SecurityTracker Alert ID:  1003590
SecurityTracker URL:  http://securitytracker.com/id/1003590
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 19 2002
Impact:   Disclosure of system information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability has been reported in Adobe's PhotoDeluxe. A malicious remote applet may be able to obtain a directory listing or, in certain cases, execute arbitrary code on the user's computer.

CERT issued a vulnerability report (#116875) warning of a vulnerability in Adobe PhotoDeluxe that allows a malicious web page or HTML email message viewed with Microsoft Internet Explorer to obtain directory listings or potentially download and execute arbitrary code on the local system.

According to CERT, Dr. Hiromitsu Takagi reported that Java code installed by PhotoDeluxe is given privileged access to the local system. Dr. Takagi's analysis is available here:

http://java-house.jp/~takagi/java/security/adobe-photodeluxe/

It is reported that PhotoDeluxe installs Java code and sets or prepends the CLASSPATH environment variable to include the directory containing the code:

CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables

Because the location is specified in CLASSPATH, applets that call the code have privileged access to the local system. Applets using the PhotoDeluxe Java code can reportedly be scripted via Internet Explorer (IE) and used to obtain directory listings on the local system. If IE is started from within PhotoDeluxe via a Link button, then malicious code would be able to use the PhotoDeluxe Java code to download a Java archive that could potentially execute arbitrary code on the local
system.

For more information, see the CERT report at:

http://www.kb.cert.org/vuls/id/116875

Impact:   A remotely supplied applet can obtain directory listings on the local system. If IE is started from within PhotoDeluxe via a Link button, then malicious code could potentially execute arbitrary code on the local system.
Solution:   As a solution, the following recommendations are provided by CERT:

1) At a minimum, disable Active scripting and Java in the Internet zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer to render HTML.

2) Modify the CLASSPATH environment variable to exclude the PhotoDeluxe Java code. Note that this will reportedly break the 'Connectables' feature of PhotoDeluxe.

Vendor URL:  www.adobe.com/products/photodeluxe/main.html (Links to External Site)
Cause:   Configuration error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Adobe PhotoDeluxe does not adequately restrict Java execution


CERT issued a vulnerability report (#116875) warning of a vulnerability
in Adobe PhotoDeluxe that allows a malicious web page or HTML email
message viewed with Microsoft Internet Explorer to obtain directory
listings or potentially download and execute arbitrary code on the local
system. 

According to CERT, Dr. Hiromitsu Takagi reported that Java code
installed by PhotoDeluxe is given privileged access to the local
system.  Dr. Takagi's analysis is available here: 
                     
http://java-house.jp/~takagi/java/security/adobe-photodeluxe/

It is reported that PhotoDeluxe installs Java code and sets or prepends
the CLASSPATH environment variable to include the directory containing
the code:

  CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables

Because the location is specified in CLASSPATH, applets that call the
code have privileged access to the local system.  Applets using the
PhotoDeluxe Java code can reportedly be scripted via Internet Explorer
(IE) and used to obtain directory listings on the local system.  If IE
is started from within PhotoDeluxe via a Link button, then malicious
code would be able to use the PhotoDeluxe Java code to download a Java
archive that could potentially execute arbitrary code on the local
system. 

As a solution, the following recommendations are provided:

 Disable Active scripting and Java 

1) At a minimum, disable Active scripting and Java in the Internet zone
and the zone used by Outlook, Outlook Express, or any other email client
that uses Internet Explorer to render HTML. 

2) Modify the CLASSPATH environment variable to exclude the PhotoDeluxe
Java code.  Note that this will reportedly break the 'Connectables'
feature of PhotoDeluxe. 

For more information, see the CERT report at:

http://www.kb.cert.org/vuls/id/116875


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC