Vulnerability within photoshop

Honestly I'm not hugely confident in that response given that (a) they call it Postscript rather than Ghostscript, and (b) they just say they don't use that software tool, therefore can't have any of the vulnerabilities, but the file in quesition is from ImageMagick, and an old enough version to have legacy vulnerabilities. 

 

I'm not saying the response is wrong, but I'd like to feel it was looked into a bit more than "nope, we don't use that tool, so we're good".

 

I updated this file to the latest version (7.1.1.0) on some PC's and it's still showing up as vulnerable.

This and the fact the dates go back years makes me think it's a red herring.
We need to know for sure though either way..

 

Is the updated file showing as the one that’s vulnerable in Defender? I don’t know about your setup, but I’ve fully uninstalled Photoshop on some machines and they’re still showing as vulnerable, presumably as they haven’t rescanned the file yet. It’s been very slow to update the status, which is annoying!

Yep I was surprised to see, the screenshot shows both 6.9.9 and 7.1.1 show up under the same vulnerability, it made no difference.

Sorry, missed your screenshot. Defender is detecting it as Artifex Gpl Ghostscript 6.9.9.0, and lists anything below Artifex Gpl Ghostscript 9.26 as vulnerable, so that explains why 7.1.1 isn't fixing it.. Seeing as there isn't a more recent file with a version as high as Defender wants it, I'm happy enough with the explanation the file has been misidentified. Thanks for your help! 

 

Nice spot there, I too have had the same reply from Adobe PSIRT:
"Hello,

 

Please be advised that the findings recently reported by Microsoft Defender regarding the use of Artifex GPL Postscript convert v6.9.9 are misidentified. Photoshop does not utilize this software tool, and therefore we are not affected by any associated vulnerabilities.

 

Thank you,

David

 

Adobe Product Security Incident Response Team"

I have replied this morning with a copy of your helpful screen grab

"Thanks for your reply, however, I think your information may be incorrect.

 

The vulnerable component is ‘Artifex GPL Postscript convert v6.9.9’, this is being detected because it has been incorporated into the PhotoShop install via the use of ‘ImageMagick Studio library and utility programs’ – evidence shown below in a PhotoShop 2024 install.

 

Therefore, I believe this needs fixing with an updated convert.exe from the  ‘ImageMagick Studio library and utility programs’ or it needs removing from the Adobe Photoshop install

 

Please can you get this vulnerability fixed / component updated?"

@AdrianScott-WWFUK thnx for sharing and replying on the email. If you get an answer. Please share with us 🙂

👌

So the security team can't find out from the developers what software is or is not installed? Put down the glass, you've had a bit too much. Amateur assumptions aren't helpful.

I've had a response:
"

Hi Adrian, 

 

We have looked into Photoshop's installed files, and we do not install Artifex GPL Postscript convert v6.9.9. We do install ImageMagick convert 6.9.9.  

 

It appears that Microsoft Defender for Endpoint has misidentified which utility convert belongs to. The CVEs for Artifex GPL Postscript are not applicable.

 

Thank you,

Adobe Product Security Incident Response Team

"

So (based on Adobes response) It should be reported as a false detection by Defender for Endpoint, I'll report this to Microsoft now via the defender portal - anyone else who is watching feel free to do the same

I mean, he is not completly wrong. Adobe doesn't use Ghostscript but ImageMagick does. It's part of ImageMagick.

 

Just google ImageMagick Insecuritys and it's the first that pops up.

The Question is wich version of Ghostscript ImageMagick is using.

 

https://experienceleague.adobe.com/de/docs/experience-manager-65/content/assets/extending/best-pract...
Thats what I found, there are some tipps at the bottom of the article to close the Insecuritys.

:tennis:Feels like it's a game of Tennis 🤣
So that makes sense now that Defender is detecting what it thinks is Ghostscript (as it is probably correct), It's just Adobe PSIRT not aware that ImageMagick uses GhostScript 🤯
So I guess Microsoft may reject the false detection I'd reported and it'll be back to Adobe to get them to actually fix it (or at least get an updated version from ImageMagick) 🤷‍:male_sign:

Why does it take the community to solve Adobes problems for them🙄

I just love how non-programmers try to second guess software publishers. Why would you use Adobe products at all if you don't think the security team can find out what dependencies their apps have? I'm not sure if this is funny or tragic.

aka ":pile_of_poo:dobe"

Have you heard anything back? Defender is still reporting these as vulnerable for me as of this morning. I can't anything official from Adobe on this either.

Sorry I pasted the wrong thing.... ignore my previous message. This is a false positive. They  replied with

 

“Please be advised that the findings recently reported by Microsoft Defender regarding the use of Artifex GPL Ghostscript convert v6.9.9 are misidentified. Photoshop does not utilize this software tool, and therefore we are not affected by any associated vulnerabilities."

Hi Ryan,
I also emailed them about this but didn't get a reply. Do you mind pasting image of their reply here?

 

Thank you, Ryan. Even though they say Photoshop doesn't use the software then why is it still being installed with Photoshop even after removing? Interesting.

Thank you for letting us know.

Interestingly as well, Convert.exe is considered a legacy utility and installed installed as standard by ImageMagick where it originates from.

Nothing back from Adobe psirt regarding confirmation that ImageMagick does not have the vulnerability. The vuln is still showing up on Defender 365 dashboard as a CVSS 9.8 on the dashboard so obviously submitting the false positives has had no effect.

Not sure why Adobe wouldn't consider a CVE rated at 9.8 a priority?  Maybe because they don't consider a third party component that they bundle in their software package to be their problem?

I am wondering whether anyone from Adobe looks at this community or are we urinating into the breeze.