search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Adobe PhotoDeluxe does not adequately restrict Java execution

Vulnerability Note VU#116875

Original Release Date: 2002-02-09 | Last Revised: 2002-02-09

Overview

A vulnerability exists in Adobe PhotoDeluxe that allows a malicious web page or HTML email message viewed with Microsoft Internet Explorer to obtain directory listings or potentially download and execute arbitrary code on the local system.

Description

Adobe PhotoDeluxe is an image manipulation application for the Windows platform. PhotoDeluxe is geared towards the home user market and is bundled with a number of image capture devices, such as scanners and digital cameras. Dr. Hiromitsu Takagi has reported that Java code installed by PhotoDeluxe is given privileged access to the local system and can be exploited by a malicious web page or HTML email message viewed through Internet Explorer. Dr. Takagi's analysis is available here:

http://java-house.jp/~takagi/java/security/adobe-photodeluxe/
PhotoDeluxe provides a feature called "Connectables" that gives users the ability to download additional design elements from Adobe's web site. PhotoDeluxe installs Java code to support the Connecables feature, and sets or prepends the CLASSPATH environment variable to include the directory containing the code:

CLASSPATH=C:\Program Files\PhotoDeluxe HE 3.1\AdobeConnectables
In Windows 95 and 98, CLASSPATH is set with a command in autoexec.bat. In Windows NT and 2000, CLASSPATH is set via the registry on a per-user basis.

According to the Sun Java Applet Security FAQ:

There are two ways for an applet to be considered trusted:
1. The applet is installed on the local hard disk, in a directory on the CLASSPATH used by the program that you are using to run the applet. Usually, this is a Java-enabled browser, but it could be the appletviewer, or other Java programs that know how to load applets.

If an applet resides on the client's local disk, and in a directory that is on the client's CLASSPATH, then it is loaded by the file system loader. The most important differences [between applets loaded over the net and applets loaded via the file system] are

    • applets loaded via the file system are allowed to read and write files
    • applets loaded via the file system are allowed to load libraries on the client
    • applets loaded via the file system are allowed to exec processes
    • applets loaded via the file system are allowed to exit the virtual machine
    • applets loaded via the file system are not passed through the byte code verifier
For more information on the Java security model see Sun's Java documentation, particularly the Applet Security FAQ referenced above. Microsoft provides similar documentation in their Java Security Overview and a corresponding FAQ.

Since the location of the PhotoDeluxe Java code is specified in the CLASSPATH environment variable, applets that call the code have privileged access to the local system. Through Microsoft Internet Explorer, applets using the PhotoDeluxe Java code can be scripted and used to obtain directory listings on the local system. A more serious risk exists if Internet Explorer is started from within PhotoDeluxe via a Link button. In this case, the PhotoDeluxe Java code can be leveraged to download a Java archive that can in turn be used to execute arbitrary code on the local system.

Impact

By enticing a user to view a malicious web page or HTML email message, an attacker may obtain directory listings or cause arbitrary code to be downloaded and executed with the privileges of the current user. If an attacker controls DNS information, they may be able to subvert the Connectables function without the user's knowledge.

Solution

Disable Active scripting and Java
At a minimum, disable Active scripting and Java in the Internet zone and the zone used by Outlook, Outlook Express, or any other email client that uses Internet Explorer to render HTML. Instructions for disabling Active scripting and Java can be found in the CERT/CC Malicious Web Scripts FAQ.


Configure CLASSPATH Variable
Modifying the CLASSPATH environment variable to exclude the PhotoDeluxe Java code will prevent the exploitation of this vulnerability, however it will also break the Connectables feature of PhotoDeluxe.

Vendor Information

116875
 

Adobe Affected

Notified:  January 25, 2002 Updated: February 09, 2002

Status

Affected

Vendor Statement

Adobe Japan has released a Security Update (in Japanese):

The Security Update states that Adobe PhotoDeluxe 4.0 is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Unknown

Notified:  January 28, 2002 Updated: January 29, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center thanks Dr. Hiromitsu Takagi for reporting this issue.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 2.88
Date Public: 2001-07-18
Date First Published: 2002-02-09
Date Last Updated: 2002-02-09 22:15 UTC
Document Revision: 54

Sponsored by CISA.