Adobe has issued a patch for a critical flaw that can be exploited to delete files from Windows computers running the Creative Cloud client.
Dubbed CVE-2020-3808, the vulnerability is a classic time-of-check-to-time-of-use flaw where, by exploiting a race condition, a miscreant could potentially trick the system into deleting work-in-progress files and other data-destroying shenanigans.
"Successful exploitation could lead to arbitrary File Deletion in the context of the current user," Adobe said in its bulletin today.
If there is one saving grace here, it's that Adobe told The Register a scumbag would have to convince a mark to download and open a poisoned document to trigger exploitation.
In other words, so long as you don't go around opening random Creative Cloud projects, this shouldn't be a massive problem, but, let's face it, everyone gets sloppy occasionally.
It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, eitherREAD MORE
If you do slip up, a hacker can delete files you've spent a long and hard time working on. The fact Adobe is releasing this now, rather than on a Patch Tuesday, suggests the Silicon Valley biz gets the potential ramifications. Adobe, for its part, described the vulnerability as being a "critical" risk, though only assigned the update a '2' priority rating (a '1' being the highest priority and generally reserved for arbitrary code execution bugs that are under active or imminent attack).
Still, it's never a good idea to put off patching. Users and admins should update Creative Cloud for Windows to version 5.1 or later to make sure their machines are guarded from the flaw.
No other operating systems are believed to be at risk.
While you're at it, it would also be a good idea to make sure machines are mitigated against the under-exploit code execution bug described yesterday by Microsoft. The attack, which has not yet been patched, relies on a font-parsing bug to gain malicious code execution. Microsoft has not yet said when it plans to fix that flaw. The next scheduled round of security fixes is due April 14. ®