Skip to main content
social_Enchantment5CB5
social_Enchantment5CB5
Participating Frequently
July 9, 2019
Question

Creative Cloud listening on tcp ports; security issue?

  • July 9, 2019
  • 3 replies
  • 6276 views

Given Zoom's recent lack of security concerns, and their choosing to "help" their users have a better experience by installing a web server on localhost that remains installed past an app removal, and can let a website reinstall the app without the user's permission, I got curious about what else may be on my Mac listening.  Here's the Zoom issue FYI:

https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-…

Well low and behold, there's a bunch of Adobe stuff running seemingly in support of Creative Cloud:

Adobe\x20 95119 username   10u     IPv4 0x5b781a0c4de33979         0t0               TCP 127.0.0.1:15292 (LISTEN)

Adobe\x20 95119 username   37u     IPv4 0x5b781a0c4c073979         0t0               TCP 127.0.0.1:15393 (LISTEN)

node      95149 username   16u     IPv4 0x5b781a0c5b3b02f9         0t0               TCP 127.0.0.1:58835 (LISTEN)

node      95149 username   20u     IPv4 0x5b781a0c3fd2a2f9         0t0               TCP 127.0.0.1:58845 (LISTEN)

which map to:

/Library/Application Support/Adobe/Adobe Desktop Common/ADS/Adobe Desktop Service.app/Contents/Frameworks/AdobeCrashReporter.framework/Versions/A/AdobeCRDaemon.app/Contents/MacOS/AdobeCRDaemon 95119 Adobe Desktop Service 4.8 /Library/Application Support/Adobe/Adobe Desktop Common/ADS/Adobe Desktop Service.app/Contents/Resources/AdobeDesktopService.icns /Library/Application Support/Adobe/Adobe Desktop Common/ADS/Adobe Desktop Service.app/Contents/Frameworks/AdobeCrashReporter.framework/Versions/A/Adobe Crash Reporter.app/Contents/MacOS/Adobe Crash Reporter 0      Adobe Desktop Service 1 1

/Library/Application Support/Adobe/Creative Cloud Libraries/CCLibrary.app/Contents/MacOS/../libs/node /Library/Application Support/Adobe/Creative Cloud Libraries/CCLibrary.app/Contents/MacOS/../js/server.js

This is disturbingly similar to Zoom.  Here's two pieces of software listening for connections on localhost, and who knows if they're secure from browser-based remote exploit.

Can these be disabled in some way while still making use of Adobe apps?  I don't use the creative cloud services, it's only running because of the license check requirement, and for installing updates.  Adobe's security track record is not the best, see Acrobat and Flash for all you need to know there, so having two daemons running and listening for TCP connections on my machine is not exactly making me comfortable.

    This topic has been closed for replies.

    3 replies

    social_Enchantment5CB5
    social_Enchantment5CB5Author
    Participating Frequently
    July 12, 2019

    @Test Screen Name, your understanding of loopback address accessibility is correct.  However, what allowed the Zoom exploit to work was web pages containing code instructing a browser to connect to http://127.0.0.1:port/blah with a custom crafted URL designed to trigger the exploit.  So basically a website instructs your browser to access localhost, which it has access to, and then bad things happen.  The exact same thing could, in theory, allow a website to ask my browser to talk to one of the four ports Adobe software seems to be listening on.

    Apple pushed out a secret patch, i.e. not a user-applied update, that has removed the Zoom webserver, so they obviously thought it was fairly severe.  Apple is silently removing Zoom’s web server software from Macs - The Verge

    Adobe really shouldn't be using background daemons listening for TCP connections to do any inter-process communications between apps on my computer, so I have to think these listening daemons were an equally bad workaround for some goal they were trying to achieve.  Perhaps Apple will take notice and forcefully remove them too.

      Abambo
      Community Expert
      AbamboCommunity Expert
      Community Expert
      July 13, 2019

      tampaatusf  wrote

      Adobe really shouldn't be using background daemons listening for TCP connections to do any inter-process communications between apps on my computer, so I have to think these listening daemons were an equally bad workaround for some goal they were trying to achieve.  Perhaps Apple will take notice and forcefully remove them too.

      Processes listening on ports to do something are the essence of the UNIX OS of processes doing interprocess communication.

      ABAMBO | Hard- and Software Engineer | Photographer
      social_Enchantment5CB5
      social_Enchantment5CB5Author
      Participating Frequently
      July 12, 2024

      Umm no, inter-process communication, by anyone who knows how to program, would never be handled via IP.  Having separate processes communicate by way of starting up a local TCP listener, all the overhead associated with that, then a client-side connection from the other process to the listener, is about as inefficient and poor for security as one can get.  IPC, i.e. not just thread to thread of one process, would typically be handled by any number of other methods, like semaphores, sockets, signals, etc. where they're both owned by the same UID and therefore inaccessible to others, let alone a web browser which can be instructed to connect to an arbitrary predictable local TCP port.

      T
      Test Screen Name
      Legend
      July 9, 2019

      I'm not an expert, but I read that processes that listen only on 127.0.0.1, the "loopback port" can only be accessed from the same computer. This would be internal servers to allow one piece of Adobe software to talk to another piece on the same computer.

      Abambo
      Community Expert
      AbamboCommunity Expert
      Community Expert
      July 9, 2019

      tampaatusf  wrote

      Adobe's security track record is not the best, see Acrobat and Flash for all you need to know there, so having two daemons running and listening for TCP connections on my machine is not exactly making me comfortable.

      Flash and Acrobat are different. Adobe closes holes as soon as they are aware of those. Flash is a security thread, because it's kind of a programming environment. Flash will now be out ranged not because of bad security but because mobile devices will not run flash because of it's resource and energy hunger.

      There is more listening on TCP ports than CC.

      You can always close the ports and see if the software stops working. I doubt that they are listening as part of the licensing.

      ABAMBO | Hard- and Software Engineer | Photographer
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices