
====================================================================

                              CERT-Renater

                   Note d'Information No. 2016/VULN155
_____________________________________________________________________

DATE                : 13/04/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Creative Cloud Desktop Application
                               versions prior to 3.6.0.244.

======================================================================
https://helpx.adobe.com/security/products/creative-cloud/apsb16-11.html
_____________________________________________________________________

Security update available for the Creative Cloud Desktop Application

Release date: April 12, 2016

Vulnerability identifier: APSB16-11

Priority: 2

CVE number: CVE-2016-1034

Platform: Windows and Macintosh


Summary

Adobe has released a security update for the Creative Cloud Desktop
Application for Windows and Macintosh. This update resolves an
important vulnerability in the Sync Process for Creative Cloud
Libraries that could be abused to remotely read and write files on
the clients file system.


Affected versions

Product                       Affected version         Platform

Creative Cloud Desktop
Application Creative Cloud    3.5.1.209 or earlier     Windows and
                                                        Macintosh

Solution

Adobe categorizes this update with the following priority rating and
recommends users update their installation to the newest version:


Product 	           Updated version   Platform 	 Priority rating

Creative Cloud Desktop
Application Creative Cloud    3.6.0.244   Windows and Macintosh	    2

Creative Cloud users can apply the update via the application's update
mechanism. For more details, visit
https://www.adobe.com/creativecloud/desktop-app.html.

For managed environments, IT administrators can use the Creative Cloud
Packager to create deployment packages as described in the workflow
documented here.

Refer to this help page for more information on the Creative Cloud
Packager.


Vulnerability Details

This update resolves a vulnerability in the JavaScript API for Creative
Cloud Libraries that could be abused to remotely read and write files
on the clients file system (CVE-2016-1034).



Acknowledgments

Adobe would like to thank the following individuals and organizations
for reporting this issue and for working with Adobe to help protect our
customers:

     Independently disclosed by Roger Chen of the University of
California, Berkeley, and Lokihardt working with Trend Micro's ZDI 
(CVE-2016-1034).


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================