A serious flaw was discovered in the Creative Cloud Desktop Application for Windows machines. This vulnerability was reported by Jiadong Lu from South China University of Technology and Zhiniang Peng who is a security researcher at Qihoo 360 Core Security[1]. If exploited, it would lead to arbitrary deletion of files in the scope of the current user.
Insights
Creative Cloud Desktop App is a centralized management software which allows users to manage, update and launch other Adobe products such as Illustrator, Photoshop, etc. The vulnerability is classified as CVE-2020-3808 and has a CVSS v2 exploitability score of 8.6/10 [2]. This issue is caused due to time-of-check to time-of-use race condition. A race condition occurs when two processes simultaneously attempt to access the same resource. In this specific condition, “the state of the resource is changed between the time interval when a process checks the condition and when the same process tries to access the resource based on the condition”[3]. This allows an unauthorized attacker to allow deletion of arbitrary files on the user machine. The vulnerability affects all the versions of Creative Cloud App which are 5.0 and below.
Conclusion
Adobe has released an update version 5.1 which addresses this security bug and addresses its customers to update their applications to the latest firmware. Since this vulnerability can cause arbitrary deletion of files, it clearly violates the Integrity of the system.
References