Security update available for the Creative Cloud Desktop Application

Release date: April 12, 2016

Vulnerability identifier: APSB16-11

Priority: 2

CVE number: CVE-2016-1034

Platform: Windows and Macintosh

Summary

Adobe has released a security update for the Creative Cloud Desktop Application for Windows and Macintosh.  This update resolves an important vulnerability in the Sync Process for Creative Cloud Libraries that could be abused to remotely read and write files on the client’s file system.  

Affected versions

Product Affected version Platform
Creative Cloud Desktop Application Creative Cloud 3.5.1.209 or earlier Windows and Macintosh

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating
Creative Cloud Desktop Application Creative Cloud 3.6.0.244 Windows and Macintosh 2

Creative Cloud users can apply the update via the application's update mechanism. For more details, visit https://www.adobe.com/creativecloud/desktop-app.html.

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages as described in the workflow documented here.

Refer to this help page for more information on the Creative Cloud Packager.

Vulnerability Details

This update resolves a vulnerability in the JavaScript API for Creative Cloud Libraries that could be abused to remotely read and write files on the client’s file system (CVE-2016-1034).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting this issue and for working with Adobe to help protect our customers:

  • Independently disclosed by Roger Chen of the University of California, Berkeley, and Lokihardt working with Trend Micro's ZDI (CVE-2016-1034).