Adobe has warned users of its Creative Cloud Desktop Application for Windows PCs about a bug that could let an attacker delete files from their computer.
Third-party researchers discovered that Adobe’s suite of design apps for Windows is vulnerable to a Time Of Check To Time Of Use (TOCTTOU) race condition, which impacts the safety checks a program carries out when using resources like files, memory, and processes.
If the state of a resource changes between check and use, it may allow an attack to change it too, in this case by deleting a user’s project files on a Windows PC.
According to Adobe, the bug CVE-2020-3808, is a critical flaw affecting Adobe Creative Cloud Desktop Application for Windows versions 5.0 and earlier.
“Successful exploitation could lead to arbitrary File Deletion in the context of the current user,” Adobe said a security bulletin on Tuesday.
Adobe is urging its Creative Cloud users to update to version 5.1 for Windows.
Adobe appears to consider this bug a serious one, given it has opted to release a security fix outside its usual schedule that falls in line with Microsoft’s Patch Tuesday.
Adobe said it is not aware of any exploits in the wild for CVE-2020-3808, which might explain why it only gave it a priority rating of ‘2’ for installing the updated version.
This rating is for bugs for which there are currently no known exploits and where it doesn’t expect an exploit to appear imminently. The rating suggests users should install the update “soon”, such as within 30 days. If it was rated ‘1’, it recommends updates are installed within 72 hours due to the higher risk of exploits in the wild.
But it has rated the bug as critical because if it were exploited, it “would allow malicious native-code to execute, potentially without a user being aware”.
Adobe credited Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security for reporting the issue.
The emergency patch for Creative Cloud follows a security blunder by Adobe last year that exposed 7.5 million Adobe Creative Cloud users’ customer accounts on the internet inside an Elasticsearch database that wasn’t protected by a password.