Adobe Security Bulletin

Security update available for the Creative Cloud Desktop Application

Release date: April 11, 2017

Vulnerability identifier: APSB17-13

Priority: 3

CVE number: CVE-2017-3006, CVE-2017-3007

Platform: Windows

Summary

Adobe has released a security update for the Creative Cloud Desktop Application for Windows. This update resolves an important vulnerability related to the use of improper resource permissions during the installation of Creative Cloud desktop applications (CVE-2017-3006). This update also resolves a vulnerability related to the directory search path used to find resources (CVE-2017-3007).

Affected versions

Product Affected version Platform
Creative Cloud Desktop Application Creative Cloud 3.9.5.353 and earlier versions Windows

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating
Creative Cloud Desktop Application Creative Cloud 4.0.0.185 and later versions Windows  3

To resolve CVE-2017-3006, customers need to update (or re-install) all installed Creative Cloud applications using version 4.0.0.185 (or later) of the Creative Cloud Desktop Application.

Customers can update the Creative Cloud Desktop Application to the latest version by signing out, and then signing back in, via the Creative Cloud Desktop Application.  Refer to this help page for more details on the sign-out and sign-in process using the Creative Cloud Desktop application.  

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages as described in the workflow documented here.  Refer to this help page for more information on the Creative Cloud Packager.

Vulnerability Details

  • This update resolves a vulnerability related to the use of improper resource permissions during the installation of Creative Cloud desktop applications (CVE-2017-3006).
  • This update resolves a vulnerability related to the directory search path used to find resources that could lead to code execution (CVE-2017-3007).

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

  • John Page a.k.a. hyp3rlinx (CVE-2017-3006) 
  • John Carroll (CVE-2017-3007)