Adobe is urging Creative Cloud Desktop Application customers running Windows to upgrade immediately to prevent hackers from deleting their files.
According to a blog post, “Adobe has released security updates for Creative Cloud Desktop Application (APSB20-11) for Windows. This update address a critical vulnerability. Successful exploitation could lead to arbitrary File Deletion in the context of the current user. Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.”
The vulnerability was discovered by “Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security.” According to Adobe’s bulletin, the vulnerability is a Time Of Check To Time Of Use (TOCTTOU) race condition.
According to CWE, with a TOCTTOU vulnerability, “the software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
“This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.”
This is a major vulnerability and all impacted users should update immediately to ensure the security of their files.