Two vulnerabilities have been identified in various ACDSee products, which could be exploited by attackers to compromise a vulnerable system.

The first issue is caused by a buffer overflow error when parsing a specially crafted TIFF image, which could be exploited to crash an affected application or execute arbitrary code by tricking a user into opening a malicious image.

The second vulnerability is caused by a buffer overflow error when parsing specially crafted Fonts, which could be exploited to crash an affected application or execute arbitrary code by tricking a user into opening a malicious file.

Affected Products

ACDSee 11.x
ACDSee 10.x
ACDSee 9.x
ACDSee Photo Manager 2009
ACDSee Photo Manager 2008
ACDSee Pro Photo Manager version 2.5 and prior

Solution

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2009/1471

In-depth Binary Analysis

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Private Exploit or PoC

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Credits

Vulnerabilities reported by Nicolas Joly of VUPEN Security.

Changelog

2009-04-08 : Vendor contacted
2009-04-15 : Vendor contacted again. No response.
2009-04-23 : Vendor contacted again. No response.
2009-05-06 : Vendor contacted again. No response.
2009-05-25 : Vendor contacted again. No response.
2009-06-02 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.