Security update available for the Creative Cloud Desktop Application

Release date: April 12, 2016

Vulnerability identifier: APSB16-11

Priority: 2

CVE number: CVE-2016-1034

Platform: Windows and Macintosh

Adobe has released a security update for the Creative Cloud Desktop Application for Windows and Macintosh. This update resolves an important vulnerability in the Sync Process for Creative Cloud Libraries that could be abused to remotely read and write files on the client’s file system.

Product	Affected version	Platform
Creative Cloud Desktop Application	Creative Cloud 3.5.1.209 or earlier	Windows and Macintosh

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product	Updated version	Platform	Priority rating
Creative Cloud Desktop Application	Creative Cloud 3.6.0.244	Windows and Macintosh	2

Creative Cloud users can apply the update via the application's update mechanism. For more details, visit https://www.adobe.com/creativecloud/desktop-app.html.

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages as described in the workflow documented here.

Refer to this help page for more information on the Creative Cloud Packager.

This update resolves a vulnerability in the JavaScript API for Creative Cloud Libraries that could be abused to remotely read and write files on the client’s file system (CVE-2016-1034).

Adobe would like to thank the following individuals and organizations for reporting this issue and for working with Adobe to help protect our customers:

Independently disclosed by Roger Chen of the University of California, Berkeley, and Lokihardt working with Trend Micro's ZDI (CVE-2016-1034).

Security update available for the Creative Cloud Desktop Application

Summary

Affected versions

Solution

Vulnerability Details

Acknowledgments

Ask the Community

Contact Us