search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Nik Software Sharpener Pro vulnerable to privilege escalation

Vulnerability Note VU#124289

Original Release Date: 2008-03-28 | Last Revised: 2008-03-28

Overview

The Nik Software Shapener Pro installs files with insecure permissions, which may allow a local attacker to elevate privileges.

Description

Nik Software Sharpener Pro is an Adobe Photoshop plug-in that provides image sharpening capabilities. The Nik Software Sharpener Pro installer sets insecure permissions on the plug-in files. The plug-ins can contain executable code, yet they are world-writable.

Impact

An unprivileged user may be able to modify files that can be executed by other users, which can allow privilege escalation.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround:

Remove write access to the Nik Sharpener plug-in files

By removing the ability of the "other" group to write to the plug-in files, this vulnerability can be mitigated.

Vendor Information

124289
 
Expand all

Nik Software Affected

Notified:  March 07, 2008 Updated: March 28, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.securityfocus.com/bid/27707/info

Acknowledgements

Thanks to  Vlad Didenko for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Severity Metric: 0.77
Date Public: 2008-02-09
Date First Published: 2008-03-28
Date Last Updated: 2008-03-28 18:44 UTC
Document Revision: 3

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis