Adobe has released another security patch outside of its usual routine this month to deal with a strange bug that can allow attackers to delete victims’ files.
The file-deleting bug, CVE-2020-3808, stems from a time-of-check to time-of-use race condition vulnerability, which happens when two system operations try to access shared data at the same time. That allows an attacker to manipulate files on the victim’s system. The company warned:
Successful exploitation could lead to arbitrary file deletion.
To successfully exploit the flaw, an attacker would need to convince a victim to open a malicious file, Adobe has said.
Creative Cloud is a subscription-based service that lets users access its range of creative software products from Adobe online, and to use some cloud-based services that support them. Users get well-known Adobe titles like Acrobat, After Effects, Dreamweaver, Illustrator, InDesign, and Photoshop. It replaced Creative Suite, which was its perpetual license software.
The bug affects Creative Cloud version 5.0 and earlier on Windows platforms according to the company’s advisory, and it has a severity rating of critical. Adobe has issued a FIX and given it a priority rating of two. In other words, it isn’t the most urgent patch in history, but you should still hop on it, sharpish. The fact that the company issued an out-of-band patch to fix the vulnerability indicates how seriously it’s taking this.
The fix involves installing version 5.1 of the software.
This isn’t the only such patch this month. The company issued a gaggle of bug fixes on 17 March, which were late, as it normally aligns its patches with Microsoft’s Patch Tuesday releases. The 41 vulnerabilities appeared in Photoshop, Acrobat, and Reader, and more than half of them received a critical rating.
In its advisory this week, Adobe credited Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security with finding the file-munching bug.