Mac firewall security flaw in Adobe CS3

1589 Views 6 Replies 3 Participants Last post by krs, May 17, 2007

krs

Discussion Starter · May 17, 2007

Security experts are warning of an issue within Adobe CS3's Version Cue application which can disable a Mac's built-in firewall.

An alert from the experts at Secunia warns that Adobe Version Cue disables a Mac's firewall when it is installed. It does so in order to set certain ports up for "controlled access through the firewall", the experts said.

The probelm is that the installer doesn't re-enable the firewall once installation is complete, leaving certain system services vulnerable to attacks.

The security issue is reported in Adobe Version Cue CS3 Server, installed as part of Adobe Creative Suite 3 Design Premium, Design Standard, Web Premium, or Web Standard editions, Secunia explains.

There is a simple fix to the flaw, which is rated as "less critical" – users simply need to re-enable their Mac OS X firewall in System Preferences once installation is complete.

Mac firewall security flaw in Adobe CS3 - ProCreative - Macworld UK

I'm rather surprised that an application can simply turn off the firewall without any red flags to the user.
Any comments?

Save

1 - 7 of 7 Posts

TroutMaskReplica

· #2 · May 17, 2007

yes. this is not acceptable to me as a user. no application should be able to do this. the installer should give written instructions to the person running the installation.

Save

genuineadvantage

· #3 · May 17, 2007

krs said:
I'm rather surprised that an application can simply turn off the firewall without any red flags to the user.
Any comments?

Do you not have to authenticate to begin the installation process? If so that would be your answer.

Save

krs

Discussion Starter · #4 · May 17, 2007

genuineadvantage said:
Do you not have to authenticate to begin the installation process? If so that would be your answer.

Well yes.

But I certainly wouldn't check my firewall to see if the application I installed disabled it. That's what seems to be happening here.

I'm surprised that MacWorld considers this a minor issue. Sure - it's easy enough to fix if you know about it.

I don't use this application, so I can't test what is actually happening. I would expect OS X to at least bring up a big warning message if anything turns off the firewall.
Wonder if this also happens when you lock the firewall settings to prevent changes being made there.

Save

genuineadvantage

· #5 · May 17, 2007

krs said:
Well yes.

But I certainly wouldn't check my firewall to see if the application I installed disabled it. That's what seems to be happening here.

I am certainly not disputing the fact that this is unacceptable, however its more so Adobes fault then Apples. Because Adobes installer is asking for authentication and when you enter your password (if any) and click ok then you are essentially granting the application unrestricted access to the system at that point. And you accept the consequences that could occur as a result. Users have to understand that software is volatile.

krs said:
Wonder if this also happens when you lock the firewall settings to prevent changes being made there.

Good question

This is definitely worth investigating! I have that option turned on in the security preference. "Require password to unlock each secure system preference."

It is very much appreciated that you have brought this information forward.

Save

· #6 · May 17, 2007

I'm surprised they haven't updated this one yet. It's a super simple fix on their part (one line missing in their postflight script).

Save

krs

Discussion Starter · #7 · May 17, 2007

mguertin said:
I'm surprised they haven't updated this one yet. It's a super simple fix on their part (one line missing in their postflight script).

Who is "they"? Adobe or Apple?

Save

1 - 7 of 7 Posts

This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.

Top Contributors this Month