Security researchers are warning of a brace of unpatched flaws in Adobe Photoshop that allow hackers to gain control of vulnerable PCs.

The first vulnerability (http://secunia.com/advisories/25044) – which affects Adobe Photoshop CS2, Adobe Photoshop CS3, and Adobe Photoshop Elements 5.x – leaves users open to attack if they open malformed PNG graphics files.

Discovered by white hat hacker Marsu, the flaw stems from a stack-based buffer overflow bug in a Photoshop Format Plugin involved in handling PNG files.

Marsu has also discovered a similar (http://secunia.com/advisories/25023) buffer overflow vulnerability in Adobe Photoshop CS2 and Adobe Photoshop CS3 involved in the handling of Bitmap files.

Successful exploitation of either security bug allows the execution of arbitrary code. Users are advised not to open untrusted PNG or Bitmap files pending the release of a security update from Adobe. ®

Related stories

Adobe pulls bug-riddled Photoshop update (18 March 2008)
http://www.channelregister.co.uk/2008/03/18/photoshop_bug/
Nasty PDF exploit runs wild (24 October 2007)
http://www.theregister.co.uk/2007/10/24/pdf_exploit_in_the_wild/
Adobe gifts internal file permissions to unwashed masses (27 September 2007)
http://www.channelregister.co.uk/2007/09/27/adobe_website_leak/
Fake flash player site used to spread malware (22 June 2007)
http://www.channelregister.co.uk/2007/06/22/shockwave_social_engineering_ruse/
Adobe takes UK price hikes to new level with CS3 (5 April 2007)
http://www.channelregister.co.uk/2007/04/05/pay_twice_you_wish/
Adobe gets Creative with its Suites (28 March 2007)
http://www.channelregister.co.uk/2007/03/28/adobe_cs3/
Adobe takes on Java and .NET (6 February 2007)
http://www.theregister.co.uk/2007/02/06/adobe_flex_apollo/
Adobe Reader update lances multiple bugs (11 January 2007)
http://www.channelregister.co.uk/2007/01/11/adobe_reader_update/
Adobe scripting flaw unearthed (4 January 2007)
http://www.channelregister.co.uk/2007/01/04/adobe_scripting_flaw/