Critical Flaw in Adobe’s Creative Cloud Desktop Application Fixed

Adobe recently released an out-of-bound security update for a flaw in the Windows version of its Creative Cloud Desktop Application. The flaw was caused by a time-of-check to time-of-use (TOCTOU) race condition, a condition that occurs when two or more system operations attempt to make changes to a shared data. When the race condition is eventually exploited, it could grant access to attackers to delete arbitrary files in the systems of victims.

Adobe’s Creative Cloud is made up of over 20 desktop and mobile application and services for design, photography, web, video, UX and more. It serves as the central console that desktop users use in launching, managing and updating their applications. The versions of Creative Cloud that were affected are version 5.0 and earlier versions. The new version (version 5.1) was released with the patch, thereby putting an end to the flaw.

In a security bulletin that Adobe released alongside the update, it was recommended that “…users update their product installations to the latest versions using the instructions referenced in the security bulletin.” Failure to update to latest version could expose users to exploitation which, “…could lead to arbitrary file deletion in the context of the current user.” The company said it was unaware of any exploits on the flaw, hence the reason why they rated the security update as “Priority 2”. Priority 2 is a rating for vulnerabilities for which there are no documented fixes, and for which an exploit is not likely to occur in near future. In their words, “Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).”

The patch was the second out-of-band update released by Adobe in the month of March; a week before the release of the patch, it published an update addressing critical vulnerabilities in its Photoshop and Acrobat Reader products, which could allow arbitrary code execution if exploited by attackers. Generally, Adobe fixed bugs related to 41 CVEs in different product offering, and 29 of these bugs were critical bugs. Fixes were published out-of-bound, just like this particular patch.

Adobe credited Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security (@edwardzpeng) for discovering the flaw. It is worthy of note that in 2019, Adobe’s vulnerability revealed 7.5 million Adobe Creative Cloud user accounts on the Internet, inside an Elasticsearch database that was not password protected.

sharafmaksumov –