Release date: June 14, 2016
Vulnerability identifier: APSB16-21
CVE number: CVE-2016-4157, CVE-2016-4158
Adobe has released a security update for the Creative Cloud Desktop Application for Windows. This update resolves an untrusted search path vulnerability in the Creative Cloud Desktop Application installer, and an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application.
|Creative Cloud Desktop Application||Creative Cloud 18.104.22.168 and earlier versions||Windows|
Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:
|Product||Updated version||Platform||Priority rating|
|Creative Cloud Desktop Application||Creative Cloud 22.214.171.1242||Windows||3|
Creative Cloud 126.96.36.1992 installer will be available starting on June 13th, 2016. For more details, visit https://www.adobe.com/creativecloud/desktop-app.html.
For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages as described in the workflow documented here.
Refer to this help page for more information on the Creative Cloud Packager.
- This update resolves a vulnerability in the directory search path used to find resources that could lead to code execution (CVE-2016-4157).
- This update resolves an unquoted service path enumeration vulnerability in the Creative Cloud Desktop Application(CVE-2016-4158).
Adobe would like to thank the following individuals and organizations for reporting these issues and for working with Adobe to help protect our customers:
- YoKo Kho and Dicky (@dickysOfficial) of MII - CAS Dept (CVE-2016-4157).
- Cyril Vallicari / Ug_0 Security and Security team Netservice de Toekomst (CVE-2016-4158).