CVE-2024-34116 - Inside the Creative Cloud Desktop Vulnerability That Lets Attackers Delete Your Files

If you use Adobe’s Creative Cloud Desktop to manage Photoshop, Illustrator, or any other Adobe apps, you should know about CVE-2024-34116. This security hole affects versions up to 6.1..587 and could let attackers delete any file on your computer by sneaking a malicious library into your machine—if you click just one thing.

Here's a plain-language breakdown, with code snippets, reference links, and how an exploit would work. This write-up is exclusive and not a rehash. Let's get to it.

What is CVE-2024-34116?

Adobe Creative Cloud Desktop, through versions 6.1..587 and earlier, doesn't safely control where it searches for system resources. This flaw is called an Uncontrolled Search Path Element vulnerability. In short: Creative Cloud Desktop might load system libraries (*.dll* files) from unsafe locations if an attacker gets them onto your computer. The software may then run malicious code, allowing someone to delete (or manipulate) files on your machine.

How Does It Work?

When Creative Cloud Desktop launches, it loads dynamic libraries (*DLL*s) needed to work. If the app looks in directories it shouldn’t—like the directory it's run from or other writeable folders—an attacker could trick it into loading a malicious DLL.

If a user is coaxed into running Creative Cloud from a folder the attacker controls (or where the attacker managed to drop their code), Creative Cloud might pick up and run the attacker’s DLL instead of the real one.

What can the attack do? The vulnerable code can be used to delete arbitrary files. Imagine running Creative Cloud, and it deletes your Documents folder because of a rogue DLL.

1. Malicious DLL Creation

An attacker writes a DLL called, for example, sqlite3.dll, with malicious code to delete a file.

malicious_sqlite3.dll (C++ Pseudocode)

// malicious_sqlite3.cpp
#include <windows.h>
#include <stdio.h>

// On load, deletes important file!
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
  if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
      DeleteFileA("C:\\Users\\victim\\Documents\\important.docx");
  }
  return TRUE;
}

2. Plant the DLL Next to Creative Cloud Executable

Suppose the attacker convinces you to download a ZIP file, and inside it is both the Creative Cloud.exe (really, a renamed copy of the legit app, or a shortcut to the real one) and the malicious sqlite3.dll.

3. User Interaction

The attacker tells you, “Please open the Creative Cloud from this folder to fix a problem.”

Once you run the executable from the attacker’s folder, Creative Cloud Desktop loads, but it picks up the malicious sqlite3.dll first, before the system’s harmless copy. The DLL runs and deletes the target file.

4. Result

Creative Cloud opens as normal — but your files are already gone. No antivirus may flag it, as it looks like a regular Creative Cloud run.

Here's the technical issue

Many Windows applications, unless programmed carefully, look for DLLs first in their startup directory. If an attacker can get their code into that directory, and the program loads the library without a full path (known as a "DLL side-loading" or "search path hijacking"), bad things happen.

Example

// BAD: No full path, will search in current directory FIRST!
LoadLibraryA("sqlite3.dll");

---

How Serious Is This?

- Needs Trickery: The attacker needs to get their DLL onto your machine and make you run Creative Cloud from there.
- Serious Damage: If they succeed, they can potentially delete *any* file you have permission to delete.
- No Code Needed: No phishing, no exploit code needed on a website — it’s a simple trick, but can cause real damage.

How To Protect Yourself

1. Update Immediately: Adobe has patched this in newer versions. Go to Adobe Creative Cloud Downloads and update if you haven’t.
2. Don’t Run from Downloads: Never open Creative Cloud (or any program) from a downloads or temp folder, especially after extracting a ZIP file from someone else.

References

- Adobe Security Bulletin APSB24-36 (official advisory)
- MITRE CVE-2024-34116 record
- DLL Side-Loading explained

Final Word

CVE-2024-34116 isn’t the flashiest bug, but it’s the kind that attackers love because it uses regular system behavior and social tricks instead of fancy code. As always: Update your software, and don’t open programs from weird locations.

Has your workflow been touched by this? Share your experience or questions below!

Timeline

Published on: 06/13/2024 12:15:11 UTC
Last modified on: 07/19/2024 17:40:23 UTC