Adobe released a second unscheduled fix this month, this time for a flaw in its Creative Cloud desktop application that could lead to privilege escalation.
While the vulnerability (CVE-2018-12829) was rated “important,” Adobe acknowledged on Tuesday that it is aware of a publicly available proof-of-concept code that exists to leverage the code.
“A Security Bulletin (APSB18-32) has been published regarding security updates for Adobe Creative Cloud Desktop Application for Windows and MacOS. This update resolves an important vulnerability that could lead to privilege escalation, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin,” Adobe said in a statement posted Tuesday.
Creative Cloud Desktop Application is a centralized place where users can locate and manage their Adobe apps. The vulnerability, which is an Improper Certificate Validation, means an attacker could exploit it to gain elevated access to resources normally protected within an application. Adobe said that an “important” categorized flaw means an exploitation would result in compromised data security or potentially allowing access to confidential data.
Creative Cloud Desktop Application versions 4.6.0 and earlier (on Windows and macOS) are impacted. Adobe recommends users update their application to version 4.6.1 via the Adobe Download Center. The update is given a priority rating of 2, meaning while there are no known exploits, the vulnerabilities are in a product that has historically been at “elevated risk,” according to Adobe.
Chi Chou of AntFinancial LightYear Labs was credited with reporting the flaws.
The release is the second unscheduled update this month. Last week, Adobe issued unscheduled patches for two critical flaws that could enable remote code-execution in Photoshop CC.
Adobe’s regularly scheduled patches were updated earlier this month. During that release, the company released 11 total fixes for an array of products, including two critical patches for Acrobat and Reader for Windows and macOhttps://threatpost.com/adobe-patches-critical-photoshop-flaws-in-unscheduled-update/136765/S. Exploitation of those two vulnerabilities could lead to arbitrary code execution in the context of the current user.