Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2005 > Adobe Security Advisory: Adobe Version Cue 1.x local elevation of privilege

May 2005

Adobe Security Advisory: Adobe Version Cue 1.x local elevation of privilege

ID: 00436
Ref: 403/2005
Date: 24 May 2005:14:41:22
Version: 1
Title: Adobe Security Advisory: Adobe Version Cue 1.x local elevation of privilege
Abstract:
Vendors affected: Adobe
Operating systems affected: Adobe
Applications affected: Adobe
Title
=====

Adobe Security Advisory: Adobe Version Cue 1.x local elevation of privilege

Detail
======

A security vulnerability has been detected in a previous release
of Adobe Version Cue, a feature of Adobe Creative Suite, that only effects
computers running Mac OS X. A risk exists on Macintosh computers running Mac
OS X where a Version Cue Workspace is installed such that if the computer is
configured in a certain manner, a local user can possibly gain
administrative rights.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Advisory for Adobe Version Cue 1.x local elevation of privilege

Advisory Name: Adobe Version Cue 1.x local elevation of privilege

Release Date: May 18, 2005

Product: Adobe Version Cue 1.x (Version Cue Workspace, version 1.0 and
version 1.0.1. Version Cue Workspace is a feature of Adobe Creative Suite,
and is included in Adobe Creative Suite 1.0 and 1.3.)

Platform: Macintosh, on all supported revisions of Mac OS X

Vulnerability Identifier: CAN-2005-1307

Overview: A security vulnerability has been detected in a previous release
of Adobe Version Cue, a feature of Adobe Creative Suite, that only effects
computers running Mac OS X. A risk exists on Macintosh computers running Mac
OS X where a Version Cue Workspace is installed such that if the computer is
configured in a certain manner, a local user can possibly gain
administrative rights.

Adobe is making a Required Update available at www.adobe.com
that addresses this problem. This update is the same
for Adobe Creative Suite Standard or Adobe Creative Suite Premium.

Effect: If exploited, the local user will have all the rights of the system
administrator including file and application management.

Details: If a computer running Mac OS X is configured for multiple user
accounts, and some users were not given administrative privileges but have
write access to one folder, the vulnerability can potentially be exploited.
This vulnerability cannot be exploited by users who do not have login
accounts on that machine.

Recommendations: If you use Version Cue 1.x, then download the Required
Update from the Adobe website at
www.adobe.com/support/downloads/detail.jsp?ftpID=2932 . The Required Update
amends internal Version Cue Workspace files to address the vulnerability
issue. The Required Update also changes user access rights for some Version
Cue infrastructure files needed by Version Cue Workspace.

Caveats: None

Vulnerability Identifier Cross-Reference: CAN-2005-1307

Adobe Disclaimer

License agreement

By using software of Adobe Systems Incorporated or its subsidiaries
("Adobe"); you agree to the following terms and conditions. If you do not
agree with such terms and conditions; do not use the software. The terms of
an end user license agreement accompanying a particular software file upon
installation or download of the software shall supersede the terms presented
below.

The export and re-export of Adobe software products are controlled by the
United States Export Administration Regulations and such software may not be
exported or re-exported to Cuba; Iran; Iraq; Libya; North Korea; Sudan; or
Syria or any country to which the United States embargoes goods. In
addition; Adobe software may not be distributed to persons on the Table of
Denial Orders; the Entity List; or the List of Specially Designated
Nationals.

By downloading or using an Adobe software product you are certifying that
you are not a national of Cuba; Iran; Iraq; Libya; North Korea; Sudan; or
Syria or any country to which the United States embargoes goods and that you
are not a person on the Table of Denial Orders; the Entity List; or the List
of Specially Designated Nationals.

If the software is designed for use with an application software product
(the "Host Application") published by Adobe; Adobe grants you a
non-exclusive license to use such software with the Host Application only;
provided you possess a valid license from Adobe for the Host Application.
Except as set forth below; such software is licensed to you subject to the
terms and conditions of the End User License Agreement from Adobe governing
your use of the Host Application.

DISCLAIMER OF WARRANTIES: YOU AGREE THAT ADOBE HAS MADE NO EXPRESS
WARRANTIES TO YOU REGARDING THE SOFTWARE AND THAT THE SOFTWARE IS BEING
PROVIDED TO YOU "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE DISCLAIMS ALL
WARRANTIES WITH REGARD TO THE SOFTWARE; EXPRESS OR IMPLIED; INCLUDING;
WITHOUT LIMITATION; ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE; MERCHANTABILITY; MERCHANTABLE QUALITY OR NONINFRINGEMENT OF THIRD
PARTY RIGHTS. Some states or jurisdictions do not allow the exclusion of
implied warranties; so the above limitations may not apply to you.

LIMIT OF LIABILITY: IN NO EVENT WILL ADOBE BE LIABLE TO YOU FOR ANY LOSS OF
USE; INTERRUPTION OF BUSINESS; OR ANY DIRECT; INDIRECT; SPECIAL; INCIDENTAL;
OR CONSEQUENTIAL DAMAGES OF ANY KIND (INCLUDING LOST PROFITS) REGARDLESS OF
THE FORM OF ACTION WHETHER IN CONTRACT; TORT (INCLUDING NEGLIGENCE); STRICT
PRODUCT LIABILITY OR OTHERWISE; EVEN IF ADOBE HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. Some states or jurisdictions do not allow the
exclusion or limitation of incidental or consequential damages; so the above
limitation or exclusion may not apply to you.

Adobe, the Adobe logo, and Version Cue are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States and/or other
countries. Apple, Macintosh and Mac are trademarks of Apple Computer, Inc.,
registered in the United States and other countries. Use of the Required
Updater is governed by the license agreement you agree to before downloading
the Required Updater and the license agreement that came with Adobe Creative
Suite.

C 2005 Adobe Systems Incorporated. All rights reserved. Document
date: May 18, 2005.


- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: Adobe Product Security Management

iQA/AwUBQo6MqoHx+/0SZ0KhEQI8sQCdG0yja/CA5CzCBIAref5NEi1Ja9QAnRvg
O5hr+Z0cQ/CMh5twDtLJ3Tfn
=4RHM
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |