Adobe has released an out-of-band security update for its Creative Cloud Desktop Application for windows. The update includes a patch to fix a critical vulnerability that could allow attackers to delete specific arbitrary files on a vulnerable computer.
Creative Cloud is a collection of 20+ desktop and mobile apps and services for photography, design, video, web, UX and more. Creative Cloud acts as a central console for desktop users to quickly launch, manage and update their Adobe apps. Specifically affected is the Creative Cloud desktop application version 5.0 and earlier; Adobe has made the necessary fixes in version 5.1 of the application.
“Successful exploitation could lead to arbitrary file deletion in the context of the current user,” said Adobe.
Adobe recommended its users to update their product installations to the latest versions using the instructions referenced in the security bulletin.
The flaw (CVE-2020-3808) stems from a time-of-check to time-of-use (TOCTOU) race condition. A race condition occurs when two or more system operations can access shared data, and they try to change it at the same time. To exploit the vulnerability the attack would have to be timed in a precise way to achieve the desired results. If exploited, the flaw could enable arbitrary file deletion, allowing an attacker to delete certain critical files.
Adobe did not disclose technical details about the vulnerability and is not aware of attacks in the wild that exploited the vulnerability.
The flaw affects the Windows version of the Creative Cloud desktop application, Adobe Creative Cloud desktop application version 5.1 addressed the vulnerability.
Adobe usually releases security updates along with Microsoft’s Patch Tuesday security updates, but this month nothing was released at that time; instead, Adobe released out-of-band updates addressing critical flaws in its Photoshop and Acrobat Reader products.