Zend Optimizer contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when improper permissions are given to the f flag in the everyone group, allowing a local attacker to gain elevated privileges.

Upgrade to version 3.3.3 (2012-03-29) or higher, as it has been reported to fix this vulnerability. Note that this flaw was fixed in the 2012-03-29 release without a change in version number. An upgrade is required as there are no known workarounds.

• Secunia Advisory ID: 48642
• Bugtraq ID: 52866
• ISS X-Force ID: 74580
• Other Advisory URL: http://cxsecurity.com/issue/WLB-2012040044
  http://www.zeroscience.mk/codes/zendoptimizer_iperms.txt
  http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php
• Packet Storm: http://packetstormsecurity.org/files/111530/Zend-Optimizer-3.3.3-Insecure-Permissions.html
• Vendor Specific News/Changelog Entry: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt
• Vendor Specific Solution URL: http://www.zend.com/en/products/guard/downloads
• Vendor URL: http://www.zend.com/en/products/guard/runtime-decoders

• Gjoko Krstic - Zero Science Lab

NVD does not currently have a CVSSv2 score assigned.