Vulnerability within photoshop

Report · Jun 14, 2024

Defender detects vulnerabilities in Artifex Gpl Ghostscript the evidence shows that this has to do with C:\Program Files\Adobe\Adobe Photoshop 2024\convert.exe, this is within photoshop. Anyone else having this or is there any update how we can resolve this vulnerability ?

Thanks

Report · Jun 14, 2024

@Marewan5CDA I'd imagine it's a false positive, Virus Total shows that it's safe, and I scanned it with Bitdefender and again no issues

https://www.virustotal.com/gui/file/f2eb6b70203d9f6b5073b7c88f393fd7091d5a34ccc1d85eec83dfad0cbb0ac4

Report · Jun 14, 2024

We are having the same issue with a Windows 10 device running Phostoshop that has been updated to the latest version.

The convert.exe file itself is not malicious which is what BitDefender and Virus Total check for.

The issue is that Defender is detecting the version number 6.9.9.0 which has a known critical vulnerability CVE-2018-18284 which is "Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator." The following is what Defender is signalling on

Windows10

10.0.19045.4412

x64

artifex

gpl_ghostscript

6.9.9.0

CVE-2018-18284

Critical

Since this file is installed as part of PhotoShop, Adobe needs to update it. The latest release is Ghostscript 10.03.1 (2024-05-02). When will Adobe update?

Report · Jun 16, 2024

Could there be a chance Defender Vulnerability Management is incorrectly picking up the version of Ghostscript? We have the same issue on two fresh installs of Photoshop.

Report · Jun 18, 2024

We have this issue too on some of our device, does adobe have adress this issue ?

Report · Jun 18, 2024

I don't think it's a false positive (though it's not detecting a virus, but the presence of a vulnerability in a program). Whether that vulnerability is exploitable is a different question, but I think it's fair to assume that it could be, as it's clearly an old standalone .exe bundled with the install. I think I'm going to block execution of this version of the .exe using applocker until there's an update.. we'll see if anything breaks..

Report · Jun 17, 2024

We too are seeing this vulnerability, however, we use Adobe Remote Update Manager (RUM) on all our machines with Adobe Creative Cloud apps installed, those that have run RUM have updated to the latest security release for Adobe Photoshop (25.9.1.626) released on the 11th June 2024 (see: https://helpx.adobe.com/security/products/photoshop/apsb24-27.html)
N.B. From my clients, it appears that all devices with a version older than 25.9.1.626 appear to be affected by the GPL PostScript vulnerability, so my suggestion is update all your Adobe Photoshop installs to the latest security fix.
I'm off to nudge the remaining machines that have not yet updated 😉

Report · Jun 17, 2024

Ignore my post above - Unfortunately, it was a co-incidence that all older versions were affected.

Microsoft Defender for Endpoint if flagging that this is affecting all installs.

Adobe - Please Fix!

Report · Jun 17, 2024

@AdrianScott-WWFUK i was about to reply on it :). We are already using the CC

Report · Jun 17, 2024

Just to add we're seeing this too. Also applies to Photoshop 2023 and 2022.

Report · Jun 18, 2024

I did manage to download ImageMagick-7.1.1-33-portable-Q16-x64.zip, which contained Convert.exe 7.1.1.0

However, that is also showing as vulnerable, exactly the same problem.

I thought we could update Ghostscript manually, but trying on a PC with Photoshop on it, it doesn't specifically have Ghostscript installed to update.

Stuck.

Report · Jun 18, 2024

Is everyone reporting the issue running Microsoft Defender Threat / Vulnerability Management portal? I wonder if Defender is misreporting this, or of other vulnerability management platforms are also seeing this?

Chris

Report · Jun 18, 2024

We are seeing the same here, 4 Windows device running Adobe Photoshop 2024 with the latest updates. It was first flagged by defender on 11th June. I was hoping to have seen some action by now from MS (as a false positive) or from Adobe (as a fix).

Report · Jun 18, 2024

Just wondering if anyone hasd reported this to Adobe through their official channel yet?
https://helpx.adobe.com/uk/security/alertus.html

Report · Jun 18, 2024

FYI: I have just notified them via the psirt@adobe.com email address to alert them of this issue

Report · Jun 18, 2024

Thanks for this info, I will be sumitting a report too.

Report · Jun 28, 2024

I reported this via psirt@adobe.com listing all 12 of the CVE showing in Defender. Today I recieved this reply back.

"Hello,

Please be advised that the findings recently reported by Microsoft Defender regarding the use of Artifex GPL Postscript convert v6.9.9 are misidentified. Photoshop does not utilize this software tool, and therefore we are not affected by any associated vulnerabilities.

Thank you,

David

Adobe Product Security Incident Response Team"

Report · Jul 31, 2024

This is latest back from adobe PSIRT. At least they have acknowledged the existance of the ImageMagick convert.exe but still not sure where this leaves us? Incidentally on the ImageMagick GITHUB page they don't seem to be aware of Adobe using it and claim that the convert.exe module does not contain the affected libraries.

Security vulnerability by ghostscript · ImageMagick/ImageMagick · Discussion #7411 (github.com)

Email from adobe PSIRT:-

Hello,

Adobe is aware of the vulnerabilities in Artifex GPL Ghostscript "Convert" v6.9.9 present in the version of the ImageMagick library shipped with Adobe Photoshop. Adobe has investigated all of the reported vulnerabilities against ImageMagick shipping with Adobe Photoshop and has found that while the ImageMagick library containing the identified vulnerabilities exists in Adobe Photoshop, given the manner in which the library is used and the various security controls in place in the application, Adobe does not currently believe that these vulnerabilities are actually exploitable.

If you do find evidence of potential exploitability, please notify Adobe’s Product Security Incident Response Team (PSIRT) immediately and we will investigate further.

Thank you,

David

Adobe Product Security Incident Response Team

Report · Jul 31, 2024

Mark, I "Report[ed] an Inaccuracy" within Defender Vulnerability Management (via CVE-2018-16509) under the category "There is software listed that isn't installed on any devices in my organization"

From there I reported the software as Artifex Gpl Ghostscript, selected the impacted machine, and linked to the Github discussion you referenced here.

I'm hoping that will be enough for Microsoft to adjust their detection logic.

Report · Jul 31, 2024

From reviewing the following link on ImageMagik's site with regards to securing their application, they state "It is strongly recommended to establish a security policy suitable for your local environment before utilizing". Has Adobe deployed a sutitable security policy to ensure that it can't be exploited? Can they just deploy a newer version so it is not vulnerable? https://imagemagick.org/script/security-policy.php

Thanks,

Craig Thomas

Report · Aug 09, 2024

Another response back from Adobe psirt, this time they appear to be saying that Windows Defender has mis-identified convert.exe as being Artifiex GPL Ghostscript which is not part of Photoshop, also that they acknowledge the vulnerabilities in ImageMagick convert.exe but they don't see it as a problem!!!!! How on earth is anyone supposed to make sense of that let alone put a sensible case forward for any mitigation of risk? Its madness.

-------------- latest email from psirt----------------

Mark,

Adobe is aware of the misidentification by Microsoft Defender of “convert.exe” executables shipping with Adobe Photoshop. We are working with Microsoft to resolve this issue.

Artifex GPL Ghostscript “Convert” v6.9.9 identified by Microsoft Defender is not present in Adobe Photoshop. Microsoft Defender is mis-identifying a separate 3rd party library, ImageMagick (which also contains a “convert.exe” executable), that does ship with Adobe Photoshop. Out of an abundance of caution Adobe has investigated reported vulnerabilities against ImageMagick and has found that while the ImageMagick library containing the identified vulnerabilities exists in Adobe Photoshop, given the manner in which the library is used and the various security controls in place in the application, Adobe does not currently believe that these vulnerabilities are actually exploitable.

If you do find evidence of potential exploitability, please notify Adobe’s Product Security Incident Response Team (PSIRT) immediately and we will investigate further.

Thank you,
David

----------------------------------

So I am trying again to remove convert.exe from our estate, just one stubborn PC left to erradicate from.

Report · Aug 09, 2024

Apparently you don't understand what Adobe is saying. They have investigated and there is no exploit.

Report · Jun 18, 2024

Until Adobe confirms this, there is no way to know if their implementation is safe or not. They may be using Ghostscript in a way that cannot be exploited.

Report · Jun 18, 2024

We are seeing the same problem. Deleting the file does not work either.

Report · Jun 26, 2024

Has anyone received any updates from Adobe on this. I reported the discovered vulnerability through their psirt@adobe.com email address but have received nothing back, not even a confirmation.

Vulnerability within photoshop

Explore related tutorials & articles