Adobe Security Bulletin

Security update available for the Creative Cloud Desktop Application

Release date: June 14, 2016

Vulnerability identifier: APSB16-21

Priority: 3

CVE number: CVE-2016-4157, CVE-2016-4158

Platform: Windows

Summary

Adobe has released a security update for the Creative Cloud Desktop Application for Windows. This update resolves an untrusted search path vulnerability in the Creative Cloud Desktop Application installer, and an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application.

Affected versions

Product Affected version Platform
Creative Cloud Desktop Application Creative Cloud 3.6.0.248 and earlier versions Windows

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating
Creative Cloud Desktop Application Creative Cloud 3.7.0.272 Windows  3

Creative Cloud 3.7.0.272 installer will be available starting on June 13th, 2016. For more details, visit https://www.adobe.com/creativecloud/desktop-app.html.

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages as described in the workflow documented here.

Refer to this help page for more information on the Creative Cloud Packager.

Vulnerability Details

  • This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157). 
  • This update resolves an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting these issues and for working with Adobe to help protect our customers:

  • YoKo Kho and Dicky (@dickysOfficial) of MII - CAS Dept (CVE-2016-4157).
  • Cyril Vallicari / Ug_0 Security and Security team Netservice de Toekomst (CVE-2016-4158).