===================================================================== CERT-Renater Note d'Information No. 2011/VULN382 _____________________________________________________________________ DATE : 13/05/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows running Adobe Audition 3.0.1 and earlier versions. ====================================================================== http://www.adobe.com/support/security/bulletins/apsb11-10.html _______________________________________________________________________ Potential vulnerabilities in Adobe Audition Release date: May 12, 2011 Vulnerability identifier: APSB11-10 CVE number: CVE-2011-0614, CVE-2011-0615 Platform: Windows Summary Critical vulnerabilities have been identified in Adobe Audition 3.0.1 and earlier versions for Windows. One of the vulnerabilities could allow an attacker, who successfully exploits the vulnerability, to run malicious code on the affected system. An attacker would need to convince a user to open a malicious binary Audition Session (.ses) file to successfully exploit the issue. The Audition Session (.ses) file format is an older format that is no longer supported with the release of Adobe Audition CS5.5. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Audition. Affected software versions Adobe Audition 3.0.1 and earlier versions for Windows Solution Adobe strongly recommends Audition users discontinue use of the Adobe Session (.ses) file format and switch to use of the XML session format. XML is a human-readable standard for electronically encoding documents with numerous benefits over binary formats. With the release of Audition CS5.5, the binary Audition Session (.ses) file format is no longer supported. Severity rating Adobe categorizes these as critical issues and recommends that users switch to use of the XML session format. Details Critical vulnerabilities have been identified in Adobe Audition 3.0.1 and earlier versions for Windows. One of the vulnerabilities could allow an attacker, who successfully exploits the vulnerability, to run malicious code on the affected system. An attacker would need to convince a user to open a malicious binary Audition Session (.ses) file to successfully exploit the issue. The Audition Session (.ses) file format is an older format that is no longer supported with the release of Adobe Audition CS5.5. Adobe is not aware of any attacks exploiting these vulnerabilities against Adobe Audition. The .ses file format is an older format that is no long supported as of the Adobe Audition CS5.5 release. Adobe has been encouraging users to switch to the XML session file format in place of the binary Audition Session (.ses) file format (see http://blogs.adobe.com/insidesound /2010/03/audition_xml_session_format.html). This update resolves a memory corruption issue that could lead to arbitrary code execution (CVE-2011-0614). This update resolves a memory corruption issue which can lead to arbitrary code execution (CVE-2011-0615). Acknowledgments Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: Gjoko Krstic of Zero Science Lab (CVE-2011-0614) Diego Juarez, Eduardo Koch and Laura Balian from Core Security Technologies (CVE-2011-0615) ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================