Software updates are released to address vulnerabilities in Adobe's license management service, multiple Macromedia products and Symantec's pcAnywhere.A security flaw in the installation of Adobe's License Management Service has put customers at risk of privilege escalation attacks, according to a warning from the software maker.
An advisory from Adobe Systems Inc. said the vulnerability affects multiple products, including the widely used Adobe Photoshop CS, Adobe Creative Suite 1.0 and Adobe Premiere Pro 1.x.
Security alerts aggregator Secunia rates the flaw as "moderately critical" and warned that a successful attack could give a malicious hacker access to a vulnerable system.
According to Adobe, the vulnerability exists due to a flaw in the installation of the License Management Service, which ships with various Adobe products that require product activation.
"If exploited, an unauthorized person can exploit this to run a program with administrator privileges," the company added.
"Adobe is not aware of any report of malicious code that exploits this vulnerability. Adobe wants to be proactive by providing the users a simple mechanism to protect their systems," the company said.
Customers using the latest version of Photoshop (version CS2) or Adobe Creative Suite (version CS2) are not exposed to the vulnerability, which affects products running on the Windows OS platform only.
The company has provided updates with instructions on its Web site.
Multiple Macromedia Product Patches
Software developer Macromedia Inc. has released patches rated "important" for a privilege escalation vulnerability in multiple products in the Macromedia MX 2004 suite.
The bug is similar to the license management flaw patched by Adobe and affects a range of Macromedia applications, including Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director, Captivate and Contribute 2.x.
According to a Macromedia alert, Windows versions of the Macromedia installers and eLicensing client install a service with permissions that allow any member of the "Users" group to modify the service settings. This may allow local users to obtain the permissions of the "Local System" account.
"This potential vulnerability does not affect products installed on machines with a single user, and it cannot be exploited remotely," the company said.
Hotfixes and updating instructions are available for download here.
Symantec Corrects pcAnywhere Flaw
Internet security specialist Symantec Corp. has rolled out new versions of its pcAnywhere remote control tool to fix a potentially serious security hole.
In an online advisory, Symantec warned that the flaw could be exploited by malicious, local users to gain escalated privileges.
Affected products include pcAnywhere 9.x, 10.x and 11.x.
The company said the vulnerability is caused due to a design error making it possible for a non-privileged, local user to gain system privileges by manipulating the "Caller Properties" feature to run arbitrary commands when the system is restarted.
Successful exploitation requires that the program has been configured to run as a service ("Launch with Windows" setting enabled).
pcAnywhere users are urged to update to version 11.5 or apply appropriate product patches.
Symantec has released separate patches for consumer versions and enterprise versions.