Updated: A flaw in Version 1.0 running on OS X could enable a hacker with local sign-on to commandeer a system.A security flaw was disclosed today in Adobe Systems Inc.'s Version Cue software—the second security flaw in the company's software discerned during the last month.
The latest flaw was reported Monday by iDefense Inc., a provider of security intelligence to governments and Fortune 500 organizations, based in Reston, Va., near Washington, D.C.
The vulnerability was discovered in Adobe Version Cue 1.0, a software tracking system for programs distributed with Adobe Creative Suite and other products. The flaw is absent in the current shipping version of the product, a part of Creative Suite 2, released in April, Adobe officials said.
According to an advisory issued by iDefense, local exploitation of a design error in Version Cue allows hackers to gain root privileges on a PC.
The software contains a root application, dubbed VCNative, that contains a "design error," the iDefense advisory said.
"The vulnerability specifically exists due to an unchecked command-line-option parameter," it warned.
"The '-lib' command line option allows users to specify library bundles, which allows for the introduction of arbitrary code in the context of a root-owned process. By utilizing the '-lib' argument to load a malicious library, local attackers can execute arbitrary code with root privileges."
Adobe released a "vendor advisory," as well as a patch for the latest problem.
The company said that the identified vulnerability is caused by special file permissions on internal Version Cue 1.0 application files.
"This vulnerability cannot be exploited by users who do not have local login accounts on that computer. The security update amends the internal Version Cue Workspace files so that special file permissions are no longer needed or utilized," Adobe said.
"Despite the fact that this [problem] is affecting older technology, Adobe responded quickly to the problem and provided a fix," said Bob Schaffel, Adobe senior product manager. He observed that the rewritten code in CS2 avoided the vulnerability altogether.
Editor's Note: This story was updated to include information from Adobe officials.
Read the full story on eWEEK.com: Vulnerability Flagged in Adobe Version Cue
