Adobe Security Bulletin
Security updates available for Creative Cloud Desktop Application | APSB18-12
Bulletin ID Date Published Priority
APSB18-12 May 8, 2018 2

Summary

Adobe has released a security update for the Creative Cloud Desktop Application for Windows and MacOS. This update resolves a vulnerability in the validation of certificates used by Creative Cloud desktop applications (CVE-2018-4991), and an improper input validation vulnerability (CVE-2018-4992) that could lead to privilege escalation.

Affected versions

Product Affected version Platform
Creative Cloud Desktop Application

4.4.1.298 and earlier versions

Windows and MacOS

To check the version of the Adobe Creative Cloud desktop app:

  1. Launch the Creative Cloud desktop app and sign in with your Adobe ID.
  2. Click the gear icon and choose Preferences > General.

Solution

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating Availability
Creative Cloud Desktop Application Creative Cloud 4.5.0.331 Windows and MacOS 2 Download Center

Customers who have enabled auto-update will automatically receive the new version. The latest Creative Cloud Desktop App can also be downloaded from the Download Center. For more information, please reference this help Page.  

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information on the Creative Cloud Packager. 

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Improper input validation Privilege Escalation Important CVE-2018-4992
Improper certificate validation Security bypass Critical CVE-2018-4991
Unquoted Search Path Privilege Escalation Important CVE-2018-4873

Note: CVE-2018-4873 was previously resolved in version 4.3.0.256 of the Creative Cloud Desktop application.

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

  • Wei Wei (@Danny__Wei) of Tencent's Xuanwu Lab (CVE-2018-4992)
  • Ryan Hileman of Talon Voice & Chi Chou (CVE-2018-4991)
  • Cyril Vallicari / HTTPCS – Ziwit (CVE-2018-4873)