Adobe Creative Cloud Experience makes it easier to run malware
Bundled version of Node.js simplifies executing downloaded code
Adobe Creative Cloud Experience, a service installed via the Creative Cloud installer for Windows, includes a Node.js executable that can be abused to infect and compromise a victim's PC.
Michael Taggart, a security researcher, recently demonstrated that the
"I have confirmed that the
node.exe for execution."
Security researchers commenting on Taggart's finding said they'd been under the impression the bundled Node runtime would only execute files signed by Adobe, but evidently that's not the case.
The presence of an unrestricted instance of Node.js on a system isn't as severe as a backdoor or internet-facing flaw that enables remote code execution – an attacker without some other vulnerability to exploit would need to induce the victim to download and run the script. But its availability does make it easier to mount an attack and to conceal that anyone has done so.
C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective," explained Taggart, who added that he was able to get his own custom file dropper to run and execute a command-and-control agent without any warning from Windows Defender.
In other words, the primary benefit of abusing
node.exe in this way would be to run unsigned code in a way that isn't obvious to threat detection systems.
- Yes, of course there's now malware for Windows Subsystem for Linux
- C: Everyone's favourite programming language isn't a programming language
Curiously, this is not the first time concerns have been raised about Creative Cloud Experience. An Adobe customer posting to the Adobe Support Community post in February notes, "My protection program on my PC detected the folder Adobe Creative Cloud Experience, e.g.
node.exe, as security risk." The advice given is to simply ignore the warnings.
Then there's a post from December, 2021, in which an Adobe customer inquires about Malwarebytes security software detecting a suspicious outbound connection from the
node.exe instance within Creative Cloud Experience.
The presence of node.exe in other Adobe applications like Photoshop has also elicited concern from those presented with warnings about the executable from their security applications. A discussion spanning the past three years in the forum for Acronis, a security application, suggests warnings raised over the presence of
node.exe are false positives and that users should tell their apps to ignore such files.
The Register asked Adobe whether it considers the ability to run unsigned code systems via Creative Cloud Experience's
node.exe to be a problem, but we've not heard back. ®