Christmas presents from Adobe (APSB17-38 and APSB17-34) #facepalm

donmontalvo
Esteemed Contributor III

Thank you Adobe for the very special Christmas present. #not

Security updates available for Adobe Photoshop CC | APSB17-34
Effects 18.1.1 and earlier versions.

To remediate update:

  • Adobe Photoshop CC 2017 (18.1.1 or earlier)

To remediate remove:

  • Adobe Photoshop CC 2015.5 (all; 17.x)
  • Adobe Photoshop CC 2015 (all; 16.x)
  • Adobe Photoshop CC 2014 (all; 15.x)
  • Adobe Photoshop CC (all; 14.x)

Security updates available for InDesign | APSB17-38
Effects 12.1.0 and earlier versions.

To remediate remove:

  • Adobe InDesign CC 2017 (all; 12.x; 12.1.0 is latest and is vulnerable)
  • Adobe InDesign CC 2015 (all; 11.x)
  • Adobe InDesign CC 2014 (all; 10.x)
  • Adobe InDesign CC (all; 9.x)

You read that right. Adobe sucks so bad, that you have to remove their shit from your computer to protect yourself. #smfh

Earlier in the year Adobe began to confirm in writing (new managers?) that CC "uninstallers" do work (and ironically but not surprisingly that CS "uninstallers" never worked but I digress ¯_(ツ)_/¯ ). We have kept all our CC "uninstallers" so here is our plan.

STEP ONE (remediate vulnerable versions)

  • Drop the "uninstallers" for Photoshop CC/CC2014/CC2015 (CC2017 not needed since 18.1.2 update will patch) and InDesign CC/CC2014/CC2015/CC2017 into /tmp/fixAdobeShit/ directory.
  • Use script /tmp/fixAdobeShit/adobeSucks.sh to loop through /Applications directory to find and "uninstall" the vulnerable versions.
  • Script will also spit out summary to /Library/COMPANY/Adobe/InDesignBlowsChunks.txt and /Library/COMPANY/Adobe/PhotoshopBlowsChunks.txt in case we need it later.

STEP TWO (provide new new versions if user meets requirements)

  • Lucky users on 10.11 or later would be in scope for Adobe Photoshop CC 2018 19.0.1.
  • Somewhat lucky users on 10.10 would be in scope for Adobe Photoshop CC 2017 18.1.2 (c'mon, update to 10.11 and be done with it!).

There would be a STEP THREE if we can forward all complaints/escalations to the inbox of Adobe's CEO...we can dream, no?d529273649184349bc06a9b92c00262c

Pixelmator Pro The world’s most innovative image editing app

Pixelmator Pro wants to be the Photoshop killer on macOS

Pixelmator Pro: Everything you need to know!

Pixelmator Pro now available for $60, an advanced single-window image editor for Mac

Are You Metal Enough For Pixelmator Pro?

--
https://donmontalvo.com
22 REPLIES 22

bradtchapman
Valued Contributor II

Don Montalvo must be feeling...

Don Montalvo right now...

Taylor_Armstron
Valued Contributor

Check please! Think its time to start my vacation now!

sigh

donmontalvo
Esteemed Contributor III

@Taylor.Armstrong the hardest part will be dealing with users who don't like their choices...

  1. Leave the vulnerable versions in place (most companies require permission/exception from security).
  2. Remove the vulnerable versions and don't upgrade computer to get new versions.
  3. Upgrade computer to 10.11 to support the InDesign CC 2018 13.0 or later, or 10.10 to support Adobe Photoshop CC 2017 18.1.2 (believe it, N-mucho is more common than some might think).

¯_(ツ)_/¯

--
https://donmontalvo.com

spalmer
Contributor III

Looking at the security notices, while the are both critical severity they are also given Adobe's lowest priority of 3:

https://helpx.adobe.com/security/severity-ratings.html

This update resolves vulnerabilities in a product that has historically not been a target for attackers. Adobe recommends administrators install the update at their discretion.

I am not trying to excuse Adobe but at least it looks like there have never been any attempts to exploit InDesign or Photoshop based on their Priority 3 description. These are probably considered much smaller targets by hackers compared to Adobe's other products like Flash and Acrobat.

mm2270
Legendary Contributor III

I'm so glad I'm not in an industry that needs to deal with Adobe's nightmares anymore, and I hope to never return to a company that has a large Adobe install base that I have to deal with again. It may eventually happen again, but I'll enjoy my time away from the mess for now.

dgasinowski
New Contributor

It's interesting how Adobe has zero communication in their Creative Cloud toolbar app. Maybe a message about this "critical priority 3 security issue" would be appropriate. bunch of jerks...

dgasinowski
New Contributor

The Creative Cloud Packager application has a "create uninstaller package" option which can bundle multiple uninstalls for all affected version numbers if that's helpful to folks.

donmontalvo
Esteemed Contributor III

@spalmer I feel sorry for all Adobe customers, really shows how reckless that company is. But then, they've got a lot of mouths to feed.

@mm2270 I envy you. Or I hate you. Can't decide. :)

@dgasinowski We keep all the "uninstallers" that CCP spits out so we're in good shape. Curious if an all inclusive "uninstaller" package would error if a version is not there? Good to know the option is there.

--
https://donmontalvo.com

gregneagle
Valued Contributor

Getting end-user reports that the Photoshop CC 2017 18.1.2 update is deleting users' custom brushes and presets. Fun fun fun.

bvrooman
Valued Contributor

@donmontalvo If you use the uninstallers that CCP spits out when you build an install package, they'll get mixed up if you have upgraded or changed the install since that package was built. Sometimes they fail, sometimes they silently leave applications installed.

You can also build an uninstall-only package that will fairly-reliably remove every version that you want (which, for what we use it to accomplish, is generally "all of them") without failing on a missing app/version. Unfortunately, that package is dumped out as a generic binary and an XML file that has to live in the same directory; we use Composer to make a .pkg which places that binary and XML file into a temp directory, then calls the binary. Also, it doesn't uninstall Acrobat ever, so that's a thing.

donmontalvo
Esteemed Contributor III

@gregneagle Woah, you're scaring me...guessing something got whacked by the 18.1.2 installer, or did an uninstaller do it?

@bvrooman Seems like the consensus is to build an all in one uninstaller, well I'll give that a shot, now that I have several test computers set up with InDesign/Photoshop CC/CC2014/CC2015/CC2017.

--
https://donmontalvo.com

gregneagle
Valued Contributor

@donmontalvo I'm not running any uninstaller -- just installing the new version of Photoshop CC 2017 over the existing version. No reports from anyone running Photoshop CC 2018 yet, but we don't have a lot of those people.

Taylor_Armstron
Valued Contributor

Interesting... we installed "on top of" as well, but it didn't remove the old. Just a bog-standard CCP package. We ran both for a few weeks, cleaning up the older installs now that all users seem to have adjusted to the update.

dpertschi
Valued Contributor

@donmontalvo As your attorney, I advise you to buy 10 lottery tickets. You’ll have better odds with that than one of your users having ‘remote code execution’ via InDesign or Photoshop. #AdobeDumsterFire

d7bb739e603245bf905eb721296123c8

donmontalvo
Esteemed Contributor III

@gregneagle @Taylor.Armstrong Good catch, I edited the original post, Adobe InDesign CC 2017 (18.1.1 or older) needs to be updated to 18.1.2.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

@dpertschi Risk mitigation falls on the Security Team's plate. #stayInYerLaneDude :):):) They send us a high rated ticket, we have to remediate. I know I don't ever want to be on the receiving end if/when there is a breach.

Being employable is a thing to most folks. Unless your mom if famous, then you can give everyone admin rights and remove all anti malware. Get fired one day, and land a lucrative movie role in the next day. ¯_(ツ)_/¯

--
https://donmontalvo.com

chris_hansen
Contributor

@dpertschi Where did you get that delicious adobe dumpster fire icon?
I might put that on my uninstaller policy in Self Service, pending rights.

gregneagle
Valued Contributor

Photoshop CC 2018 users are also seeing their custom brushes, presets, and workspaces get deleted when updated from 19.0.0.x to 19.0.1. Fun times.

donmontalvo
Esteemed Contributor III

@gregneagle I spent years in a service bureau, backing up my settings, swatches, brushes, etc., was all on me. I can see how today’s users couldn’t be bothered. Hmmmm

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

Ok finally freed up some cycles to create two uninstaller. One for each vulnerability.

Will package up and test, since the choices seem to be the initial releases.

Hopefully no cruft left behind from updates on those apps.

If these leave cruft behind I'll do another round of testing, using the latest uninstallers.

fa984345bf80466fb54a686909bc73fd
df1de577454e404cba2eade940905f13
c0b60cea379a403f8033097920d7a08f

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

As always, hoping this helps the next person...

bb1055f7b87345bebcf7baa0372293cf
97249f8aa964417fbbacb9216ab5654f

The postinstall.sh script:

#!/bin/sh

if [ -e /private/tmp/.Adobe_InDesign-APSB17-38_uninstall/AdobeCCUninstaller ]; then
    /bin/echo "Running AdobeCCUninstaller for Adobe_InDesign-APSB17-38_uninstall..."
    /private/tmp/.Adobe_InDesign-APSB17-38_uninstall/AdobeCCUninstaller 2> /dev/null
    /bin/sleep 30
    /bin/echo "Task completed..."
fi

exit 0
--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

Ran Adobe_InDesign-APSB17-38_uninstall.pkg and happy to report it appears to have ran flawlessly.

Had InDesign CC/CC2014/CC2015/CC2017/CC2018 installed, targeted all but InDesign CC 2018.

Before:

29c0850915524a6dbe2180ea931e3062

After:

d2980757a53b4412bb0228b1467e8959

InDesign CC 2018 launched fine after the older versions were uninstalled.

Log shows it took roughly an hour with a user logged on.

Here's the log:

bash-3.2# tail -f /Users/currentUser/Library/Logs/AdobeCCUninstaller.log 
12/26/17 19:52:30:793 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Launching the AdobeCCUninstaller...
12/26/17 19:52:30:793 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | AdobeCCUninstaller version is : 1.11.0.8
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Products to be uninstalled:
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |  (IDSN/10.0/osx10)
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |  (IDSN/11.0/osx10)
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |  (IDSN/12.0.0/osx10-64)
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |  (IDSN/9.0/osx10)
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | **************************************************
12/26/17 19:52:30:807 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Attempting to uninstall the above products ...
12/26/17 19:52:30:812 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Uninstalling (IDSN/10.0/osx10)
12/26/17 20:04:17:851 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | The return code from the Adobe Installer Process is (0).Uninstallation successful.
12/26/17 20:04:17:851 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Successfully uninstalled (IDSN/10.0/osx10)
12/26/17 20:04:17:852 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | **************************************************
12/26/17 20:04:17:852 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Uninstalling (IDSN/11.0/osx10)
12/26/17 20:33:30:633 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | The return code from the Adobe Installer Process is (0).Uninstallation successful.
12/26/17 20:33:30:634 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Successfully uninstalled (IDSN/11.0/osx10)
12/26/17 20:33:30:634 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | **************************************************
12/26/17 20:33:30:634 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Uninstalling (IDSN/12.0.0/osx10-64)
12/26/17 20:33:54:856 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | The return code from the HDPIM Setup Process is (0). Successfully uninstalled.
12/26/17 20:33:54:856 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Successfully uninstalled (IDSN/12.0.0/osx10-64)
12/26/17 20:33:54:856 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | **************************************************
12/26/17 20:33:54:856 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Uninstalling (IDSN/9.0/osx10)
12/26/17 20:50:17:126 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | The return code from the Adobe Installer Process is (0).Uninstallation successful.
12/26/17 20:50:17:126 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Successfully uninstalled (IDSN/9.0/osx10)
12/26/17 20:50:17:126 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | **************************************************
12/26/17 20:50:17:129 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Summary:
12/26/17 20:50:17:130 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | **************************************************
12/26/17 20:50:17:130 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Removed products:
12/26/17 20:50:17:130 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |      (IDSN/10.0/osx10)
12/26/17 20:50:17:130 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |      (IDSN/11.0/osx10)
12/26/17 20:50:17:130 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |      (IDSN/12.0.0/osx10-64)
12/26/17 20:50:17:130 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |      (IDSN/9.0/osx10)
12/26/17 20:50:17:131 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | ##################################################
12/26/17 20:50:17:131 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | Ending the AdobeCCUninstaller Return Code (0)
12/26/17 20:50:17:131 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | ##################################################
12/26/17 20:50:17:131 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 | ##################################################
12/26/17 20:50:17:132 | [INFO] |  | CCP | Utilities | AdobeCCUninstaller |  |  | 4857423 |

[Edit: Same successful run for the Photoshop apps, Photoshop CC 2017 and 2018 both launched fine. For that run, the only thing left is to update Adobe Photoshop CC 2017 to 18.1.2. ]

--
https://donmontalvo.com