search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Nik Software Sharpener Pro vulnerable to privilege escalation

Vulnerability Note VU#124289

Original Release Date: 2008-03-28 | Last Revised: 2008-03-28

Overview

The Nik Software Shapener Pro installs files with insecure permissions, which may allow a local attacker to elevate privileges.

Description

Nik Software Sharpener Pro is an Adobe Photoshop plug-in that provides image sharpening capabilities. The Nik Software Sharpener Pro installer sets insecure permissions on the plug-in files. The plug-ins can contain executable code, yet they are world-writable.

Impact

An unprivileged user may be able to modify files that can be executed by other users, which can allow privilege escalation.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround:

Remove write access to the Nik Sharpener plug-in files

By removing the ability of the "other" group to write to the plug-in files, this vulnerability can be mitigated.

Vendor Information

124289
 
Affected   Unknown   Unaffected

Nik Software

Notified:  March 07, 2008 Updated:  March 28, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to  Vlad Didenko for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Severity Metric: 0.77
Date Public: 2008-02-09
Date First Published: 2008-03-28
Date Last Updated: 2008-03-28 18:44 UTC
Document Revision: 3

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.