Adobe Security Bulletin

Release date: April 11, 2017

Vulnerability identifier: APSB17-13

Priority: 3

CVE number: CVE-2017-3006, CVE-2017-3007

Platform: Windows

Adobe has released a security update for the Creative Cloud Desktop Application for Windows. This update resolves an important vulnerability related to the use of improper resource permissions during the installation of Creative Cloud desktop applications (CVE-2017-3006). This update also resolves a vulnerability related to the directory search path used to find resources (CVE-2017-3007).

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

To resolve CVE-2017-3006, customers need to update (or re-install) all installed Creative Cloud applications using version 4.0.0.185 (or later) of the Creative Cloud Desktop Application.

Customers can update the Creative Cloud Desktop Application to the latest version by signing out, and then signing back in, via the Creative Cloud Desktop Application.  Refer to this help page for more details on the sign-out and sign-in process using the Creative Cloud Desktop application.  

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages as described in the workflow documented here.  Refer to this help page for more information on the Creative Cloud Packager.

• This update resolves a vulnerability related to the use of improper resource permissions during the installation of Creative Cloud desktop applications (CVE-2017-3006).
• This update resolves a vulnerability related to the directory search path used to find resources that could lead to code execution (CVE-2017-3007).

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers: 

• John Page a.k.a. hyp3rlinx (CVE-2017-3006) 
• John Carroll (CVE-2017-3007)