LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
LinkBack Search this Thread
Old 09-10-2008, 05:58 PM   #1
texasone
Member
 
Registered: Jun 2008
Location: /home/lorax
Distribution: Debian Testing
Posts: 141

Rep: Reputation: 18
Security flaw in Photoshop


OK, first of, mods, please move if in the wrong section.

But anyways, this is brought up as a result of crummy programming from Adobe/Macromedia. In school, we have to use PhotoShop as our image editing software for webdesign. And during cropping, my teacher found out that the default setting was inches instead of pixels as the total crop size, and when a number too big for the program to read is put in, it crashes. Which happens a lot as many people use photos over 100 pixels and might forget to add px to the end so it doesn't go to inches. But to the main question: I know that when a program ends, it can lead a cracker to a way to break into your machine. I was wondering if this glitch/bug is strong enough for a security flaw in the system, or would it not allow the cracker far enough into your system to get any information like passwords??
 
Old 09-10-2008, 06:15 PM   #2
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 474
Blog Entries: 100

Rep: Reputation: 74
While it's true that most vulnerabilities are software bugs, the reverse is NOT true. Not all bugs are exploitable. For an attacker to utilize a bug like this, the attacker would need access to the buggy software...meaning this might lead to a local privilege escalation attack, but being that Photoshop does not listen on any ports (AFAIK), it's not likely that an attacker could use this for remotely "breaking in".

Now if this "bug" is proven to be exploitable for privilege escalation, and the attacker can exploit a service to gain a foothold on the system, then a bug like this could lead to a complete machine takeover...but I'd think that's rather unlikely. (I should hope you aren't running Photoshop suid)

Last edited by rocket357; 09-10-2008 at 06:19 PM.
 
Old 09-10-2008, 06:24 PM   #3
ErV
Senior Member
 
Registered: Mar 2007
Location: Russia
Distribution: Slackware 12.2
Posts: 1,202
Blog Entries: 3

Rep: Reputation: 62
Quote:
Originally Posted by texasone View Post
I was wondering if this glitch/bug is strong enough for a security flaw in the system, or would it not allow the cracker far enough into your system to get any information like passwords??
No.
Your program crashes with access violation caused by user actions, and doesn't connect to network. For remote code execution, bug (AFAIK) requires buffer overrun caused by data provided by external source connected via network, which doesn't always cause crash. It's unlikely that problem your mentioned might allow anyone to break in.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
firefox 1.0.6 - critical security flaw slackhack Linux - Security 3 09-23-2005 01:13 AM
News: Spoofing Is a Security Flaw ?? m_shroom Linux - Security 1 11-05-2004 08:57 PM
New Win XP Security Flaw ranger_nemo Linux - Security 9 02-25-2003 06:58 AM
Is this a Linux security flaw ? josedsilva Linux - Security 3 05-24-2002 12:03 AM
Flaw weakens Linux security software nikhiljosh Linux - Security 0 03-03-2002 04:20 AM


All times are GMT -5. The time now is 06:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration