__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Potential Security Risk with Macromedia eLicensing Client Activation Code [Macromedia Bulletin MPSB05-04] June 10, 2005 16:00 GMT Number P-216 ______________________________________________________________________________ PROBLEM: Windows versions of the Macromedia installers and eLicensing client install a service with permissions that allow any member of the "Users" group to modify the service settings. This may allow local users to obtain the permissions of the "Local System" account. PLATFORM: All versions of Macromedia MX 2004 products (Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director) as well as Captivate, Contribute 2, and Contribute 3 are affected. DAMAGE: Windows versions of the Macromedia installers and eLicensing client install the 'Macromedia Licensing Service' as a Local System service with a service Access Control List (ACL) that allows members of the “Users” group to modify the service configuration information. This information includes the service’s “path to executable,” which identifies the command that is run when the service is started. By replacing the default setting with an alternate file or command, any logged-on user may be able to run arbitrary code in the security context of the Local System account. SOLUTION: A hotfix can be downloaded from the Macromedia website to protect users of affected versions of Macromedia products. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Any logged-on user may be able to run ASSESSMENT: arbitrary code in the security context of the Local System account. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-216.shtml ORIGINAL BULLETIN: http://www.macromedia.com/devnet/security/security_zone/mpsb05-04.html CVE/CAN: ______________________________________________________________________________ [***** Start Macromedia Bulletin MPSB05-04 *****] MPSB05-04 — Potential Security Risk with Macromedia eLicensing Client Activation Code Originally posted: June 9, 2005 Summary Windows versions of the Macromedia installers and eLicensing client install a service with permissions that allow any member of the "Users" group to modify the service settings. This may allow local users to obtain the permissions of the "Local System" account. This potential vulnerability does not affect products installed on machines with a single user and it cannot be exploited remotely. Solution A hotfix can be downloaded from the Macromedia website to protect users of affected versions of Macromedia products, listed below. All future versions of Macromedia products will be unaffected by this issue. Affected Software Versions All versions of Macromedia MX 2004 products (Studio, Studio with Flash Professional, Flash Professional, Flash, FreeHand, Dreamweaver, Fireworks, and Director) as well as Captivate, Contribute 2, and Contribute 3 are affected. Severity Rating Macromedia categorizes this issue as an important update and recommends that administrators of systems supporting multiple users apply the hotfix linked below. * Download Hotfix Updater (EXE, 1.2 MB) Details Windows versions of the Macromedia installers and eLicensing client install the 'Macromedia Licensing Service' as a Local System service with a service Access Control List (ACL) that allows members of the “Users” group to modify the service configuration information. This information includes the service’s “path to executable,” which identifies the command that is run when the service is started. By replacing the default setting with an alternate file or command, any logged-on user may be able to run arbitrary code in the security context of the Local System account. Acknowledgements Macromedia would like to thank our colleagues at Macrovision, Adobe, and Autodesk for their cooperation on this issue. Revisions June 9, 2005 — Bulletin first created. Reporting Security Issues Macromedia is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with a Macromedia product, please send an email to secure@macromedia.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Macromedia becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Macromedia customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Macromedia, please visit: http://www.macromedia.com/security. ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. Macromedia reserves the right, from time to time, to update the information in this document with current information. [***** End Macromedia Bulletin MPSB05-04 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Macromedia for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-206: Mozilla & Firefox Security Update P-207: Ethereal Security Update P-208: Kernel Security Update P-209: HP-UX Trusted System Remote Unauthorized Access P-210: bzip2 P-211: PostgreSQL Security Vulnerabilities P-212: HP OpenView Radia Notify Daemon Security Vulnerabilities P-213: GNU “mailutils” Contains Several Vulnerabilities P-214: rpc.mountd security issues in IRIX 6.5.25-6.5.27 P-215: Apple Security Update 2005-006