Bundled version of Node.js simplifies executing downloaded code
Adobe Creative Cloud Experience, a service installed via the Creative Cloud installer for Windows, includes a Node.js executable that can be abused to infect and compromise a victim's PC.
Michael Taggart, a security researcher, recently demonstrated that the node.exe instance accompanying Adobe's service could be exploited by writing a simple proof-of-concept JavaScript file that spawns the Windows Calculator app.
"I have confirmed that the node.exe packaged with the Adobe Customer Experience service can run any JavaScript you point it to," he explained to The Register.
[. . .] Security researchers commenting on Taggart's finding said they'd been under the impression the bundled Node runtime would only execute files signed by Adobe, but evidently that's not the case.
[. . .] "Because the JavaScript is getting invoked by path in C:\Program Files, it would be extremely difficult to detect from a monitoring/threat hunting perspective," explained Taggart, who added that he was able to get his own custom file dropper to run and execute a command-and-control agent without any warning from Windows Defender.
Related Stories
On Tuesday, Adobe unveiled Firefly, its new AI image synthesis generator. Unlike other AI art models such as Stable Diffusion and DALL-E, Adobe says its Firefly engine, which can generate new images from text descriptions, has been trained solely on legal and ethical sources, making its output clear for use by commercial artists. It will be integrated directly into Creative Cloud, but for now, it is only available as a beta.
Since the mainstream debut of image synthesis models last year, the field has been fraught with issues around ethics and copyright. For example, the AI art generator called Stable Diffusion gained its ability to generate images from text descriptions after researchers trained an AI model to analyze hundreds of millions of images scraped from the Internet. Many (probably most) of those images were copyrighted and obtained without the consent of their rights holders, which led to lawsuits and protests from artists.
Related:
Paper: Stable Diffusion "Memorizes" Some Images, Sparking Privacy Concerns
90% of Online Content Could be 'Generated by AI by 2025,' Expert Says
Getty Images Targets AI Firm For 'Copying' Photos
Adobe Stock Begins Selling AI-Generated Artwork
A Startup Wants to Democratize the Tech Behind DALL-E 2, Consequences be Damned
Adobe Creative Cloud Experience Makes It Easier to Run Malware
Adobe Goes After 27-Year Old 'Pirated' Copy of Acrobat Reader 1.0 for MS-DOS
Adobe Critical Code-Execution Flaws Plague Windows Users
When Adobe Stopped Flash Content from Running it Also Stopped a Chinese Railroad
Adobe Has Finally and Formally Killed Flash
Adobe Lightroom iOS Update Permanently Deleted Users' Photos
(Score: 1, Insightful) by Anonymous Coward on Monday April 11 2022, @01:22AM
Design
(Score: 5, Insightful) by RedGreen on Monday April 11 2022, @03:30AM (1 child)
Both virus delivery systems masquerading as software, has been so for decades. I have yet to figure out why people run their garbage. I certainly gave up on the Microsoft just about twenty-three years ago to the day, though it was earlyMay of 1999 when it happened. I know it was the 1999 when that wonderful Win98SE "upgrade" left my SB AWE 64 gold sound card only able to play a midi file no matter the Windows OS downgraded too. The Redhat 5.2 I bought allowed it to play audio just fine and I never ran Linux on a modem only a DSL connection, I got that the last day of April in that year, the "upgrade" was just after that. Adobe never have used their junk, flash never installed it, the .pdf files used other readers for that. And now I check I know the exact date May 4th, so probably couple days after that I got my hands on it, apparently this old brain still works....
https://winworldpc.com/product/windows-98/98-second-edition [winworldpc.com]
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by RedGreen on Wednesday April 13 2022, @05:48AM
Now I'm reminded of this thread by reading this. Seems they both had another shitload of exploits to patch.
https://www.theregister.com/2022/04/13/microsoft_patch_tuesday/ [theregister.com]
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 3, Informative) by Anonymous Coward on Monday April 11 2022, @04:41AM
Story about the "Russian Hacker" (actually, computer science grad student) who Broke Adobe's e-book encryption! (OK, it was just ROT-13), and who Adobe had the FBI arrest, because, reasons.
https://www.wired.com/2001/07/russian-adobe-hacker-busted/ [wired.com]
But, Wired has always been a bit tired, and something of a Gavin McIness hipster sort of rag. Better coverage.
https://www.eff.org/cases/us-v-elcomsoft-sklyarov [eff.org]
Anyone who uses any Adobe software deserves the horrific and depraved fate they suffer. They are not a software company, they are an imaginary property rent-seeker. They need to cease to exist.
And what kind of idiots would be using an operating system based on storage devices? Oh, them.
All by himself he did that! Must be so proud, like hitting the cheerios in the potty, OMG! A Windows vulnerability!! Say it ain't so, jan, say it ain't so!
(Score: 3, Touché) by Anonymous Coward on Monday April 11 2022, @10:04AM
OMG, did that "security researcher" warn us about the dangers of cmd.exe, cscript.exe and powershell too?
Seriously, if the attacker can already do that they can get the victim to run other stuff too.
Maybe he should also go point out similar Linux "vulnerabilities" - /bin/sh /bin/bash /usr/bin/perl /usr/bin/python etc
(Score: 5, Insightful) by stretch611 on Monday April 11 2022, @10:15AM
If you are paying "rent" to Adobe to run Creative Cloud you are already a victim. The node.exe that it installs is just a gift to other thieves to show that this person is a pathetic "mark" to be taken advantage of
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Monday April 11 2022, @01:19PM
Who are these self-proclaimed "security researchers" and shouldn't they be disbarred for life after professing to making such ludicrous assumptions?