Adobe has posted a security bulletin for Adobe Photoshop recently, where it addressed a security vulnerability regarding TFF files. The vulnerability allows arbitrary code execution resulting in a system wide control for a cracker. This vulnerability affects all versions of Photoshop prior to and including CS5, on both Windows and Mac.
The vulnerability is specified on Symantec’s Security Focus as:
Adobe Photoshop is prone to a use-after-free memory-corruption vulnerability.
Attackers may exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Photoshop CS5.1 (version 12.1) is vulnerable; other versions may also be affected.
The only solution, which in reality is a non-solution, is to update to Adobe Photoshop CS6 and just in case you were wondering, no, it will not come for free if you already have CS5. With this shoddy decision, Adobe is creating a new trend in the world of security fixes, where a later paid version can be called as a fix for an existing vulnerability in an earlier version. In a way, it will force users to upgrade and while they are at it, Adobe will earn some free cash out of its own fault.
Adobe has released Adobe Photoshop CS6, which addresses these vulnerabilities. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources.
Whenever we install software, we agree to an EULA. The same EULA statement has liability provisions as well, and now that Adobe is (probably) psych testing its users for this new liability based business model, someone might just go ahead and file a class action lawsuit in the coming days.
If you want to see this vulnerability in action, proof-of-concept apps are available at this page.