CCXProcess.exe – What is This?

CCXProcess.exe is a legitimate background process that belongs to Adobe programs. It has no visible window, and functions to help Adobe Creative Cloud programs with providing dynamic content. Features like downloading stock templates, filters, and tutorials depend on it. This process is also responsible for background product updates and synchronization.

After installing Adobe applications such as Premiere Pro, Lightroom Classic, After Effects, or Photoshop, the CCXProcess.exe process is added to the autorun and always runs in the background. The process belongs to the service type, so high resource consumption is not typical for it. CCXProcess performs undemanding tasks in the background, so it should barely load the computer.

Ccxprocess.exe System Error Msvcp140.dll – Fix Guide

Sometimes, an error indicating that the file ‘MSVCP140.dll’ is missing may occur when running Adobe programs. This error is caused by a missing or corrupted DLL file required for the program to work correctly. The ‘MSVCP140.dll’ file is part of the Microsoft Visual C++ Redistributable package, which is not always pre-installed in the operating system. Without it, programs like Adobe Premiere will not function at all, and quite a few other Adobe apps will start malfunctioning.

There are several ways to fix the System Error Msvcp140.dll. The first thing you need to do is to install the latest version of Visual C++. It will update to the current version if you already have it installed. After installation, be sure to reboot your computer. If, after rebooting, the problem has not gone away, you need to download an older version of Microsoft Visual C++ 2015 Redistributables.

In most cases, this will solve the problem. If you cannot install Visual C++ 2015, you probably already have a later version installed. Try uninstalling it and reinstalling the 2015 version, which should fix the problem.

Can I Disable It?

You can disable CCXProcess, remove it from autorun, and terminate it through Task Manager, but it is not necessary and will hurt Adobe software functionality. CCXProcess must run in the background to properly perform its functions and work with Adobe Creative Cloud programs. Without it, Creative Cloud apps will lose part of their functionality and may probably start malfunctioning.

You can terminate the process if necessary through the Task Manager. To do so, press the keyboard shortcut Ctrl+Shift+Esc or via the context menu on the space in the taskbar. To terminate the service, find CCXProcess in the list of processes and click “End task“. You can also remove the service from autorun in Task Manager. To do this, go to the “Startup” tab, find the process, and disable it with the corresponding button.

If you wish to disable CCXProcess permanently, you can do so through the Adobe Creative Cloud app. Open the app, click on your profile icon, and select Preferences. Under the General tab, find the Launch Creative Cloud at Login option and uncheck it. That will disable the CCXProcess from starting upon the system startup.

Is CCXProcess a virus?

As I’ve explained above, CCXProcess.exe is digitally signed by Adobe and is not a virus. However, malware can masquerade as this file, taking its name to confuse the user. To understand whether you are dealing with a real file or a fake, you need to understand a few things. First, it is most likely a malicious copy if you have not installed or used Adobe products and the CCXProcess is present in Task Manager.

The next red flag is the excessive use of PC resources. The original file uses a minimal amount of CPU or GPU. Both taking the legit process’ name and consuming a lot of CPU are typical behavior patterns of coin miner malware. Thus, excessive usage of resources is definitely a reason for moving on to the tips below.

Check the location of the file. The CCXProcess file is located in the Adobe program directories. Depending on the bit size of the system you are using, it can either be located in C:\Program Files\Adobe\Adobe Creative Cloud Experience or C:\Program Files (x86)\Adobe\Adobe Creative Cloud Experience. On 32-bit systems, it is usually located on the first path. On 64-bit systems, it is usually located on the second path.

If you doubt the legitimacy of CCXProcess.exe, you can run a scan on your device. GridinSoft Anti-Malware is a great solution for this task. This will remove malware and unwanted software from your system.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post CCXProcess.exe appeared first on Gridinsoft Blog.

AcroTray.exe – What is it?

AcroTray.exe is an executable file that is part of the Adobe Acrobat software. This process supports PDF-related functions such as document conversion, creation, and editing directly from the desktop without having to open the Adobe Acrobat program itself. In addition, AcroTray.exe helps manage licenses and updates for Adobe products. That function is critical for enterprise users who must have all the latter up-to-date.

The Acrotray.exe process usually starts at system startup and runs in the background, providing quick access to Adobe features. This may include integration with various applications such as Microsoft Office, where Acrotray.exe acts as an intermediate layer that facilitates the export and import of PDF documents. Technically, the process is a safe and important element for users of Adobe products, but its presence constantly in active processes may raise questions about the appropriateness of its use.

Main Functionalities:

• The ability to convert documents to PDF format from various applications such as Microsoft Office (Word, Excel, and others) without opening Adobe Acrobat.
• Help with managing the printing of PDF documents. Participates in setting up print options and selecting options right before printing. This improves the quality and accuracy of printed documents.
• Automated update checks for Adobe Acrobat and other Adobe components.
• Management for various plug-ins and add-ons for Adobe Acrobat, ensuring that they work properly and interact with the main program.
• Informer functions, providing notifications of new features, offers, or changes to Adobe services.

Acrotray.exe is Missing – Fixing Guide

The problem with the missing Acrotray.exe file can be a major nuisance for Adobe Acrobat and Adobe Reader users. The absence of this file can cause the program to not work properly, errors during startup or while performing certain functions such as viewing PDF documents or printing them. Here are a few steps you can take to resolve this issue:

Program Recovery can via Control Panel help you recover missing files, including Acrotray.exe.

1. Close the Adobe Acrobat program and all Acrobat processes from Task Manager.
2. Then open “Control Panel” → “Programs” → “Programs and Features” → “Uninstall a program” and click “Adobe Acrobat DC”.
3. Press “Change” and choose “Repair” in the dialog box.
4. After the program repair is complete, restart your PC.

In case repair did not help, reinstall the program. For this, uninstall the program in the same Control Panel and restart the computer. Install Adobe Acrobat downloaded from the official website.

AcroTray.exe – Is it a Virus?

As I wrote above, AcroTray.exe is a completely legitimate file. Still, like with any other executable file, its name may be taken by a virus or other malware. To make sure that AcroTray.exe is safe, you should check its location. The correct path to the file should be in the folder:

C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroTray.exe
– for modern versions of Adobe Acrobat

C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\AcroTray.exe
– for older versions of Adobe Acrobat (11 and under)

Another way to understand whether the Acrotray process is legit is checking the location and digital signature of the file.

To authenticate AcroTray.exe, you can use Task Manager:

• To do this, press the key combination: Ctrl+Shift+Esc

• In the list of processes, find the process with the name AcroTray.exe. Right-click on the process of interest in the list. Select “Open file location“. This action will automatically open the folder where the process executable is located.

• Right-click on the AcroTray.exe file and select “Properties“.

• Click the “Details” tab and check the file information such as description, file size and digital signature. Legitimate Adobe files are usually digitally signed by Adobe Systems Incorporated.

Attackers may use the name AcroTray to disguise their malware – a common trick for backdoors and coin miner malware. If you find the AcroTray.exe file in an unusual location, such as AppData\Roaming or AppData\Temp folder, or its behavior is suspicious (such as excessive use of system resources), it may be a sign of infection.

Scan your system for viruses

On the other hand, if you want to completely uninstall AcroTray.exe, you can uninstall the entire Adobe Acrobat package if you don’t need it. To do this, open “Control Panel” → “Programs and Features“, find Adobe Acrobat and select “Uninstall“.

Nevertheless, to make sure that AcroTray.exe file is safe, it is recommended to perform an antivirus scan. One reliable tool for this purpose is Gridinsoft Anti-Malware. This antivirus specializes in detecting and eliminating various types of malware, including those that can hide under the guise of legitimate system files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post AcroTray.exe appeared first on Gridinsoft Blog.

ColdFusion ACE Vulnerabilities Exploited in Real-World Attacks

On January 8, CISA released their regular notice on new exploited vulnerabilities, specifying among others 2 security breaches in Adobe ColdFusion. Both of them are dated summer 2023, with the patches being available at around the same time. Nonetheless, the organization states about the exploitation, which is not doubtful considering the trends. And as both vulnerabilities score the CVSS rating of 9.8, the very fact of its usage in cyberattacks is concerning.

As I said in the introduction, both CVE-2023-29300 and CVE-2023-38203 are about the poor data validation upon deserialization that leads to the arbitrary code execution (ACE). Interestingly enough, both of them touch the same string versions of ColdFusion – 2018, 2021 and 2023. By sending a specifically crafted data package, targeted on the vulnerable ColdFusion server, adversaries can make the server execute the code they need. No user interaction is needed for this trick, which increases the severity of the vulnerability even more.

Arbitrary code execution vulnerabilities may serve as both initial access points and opportunities for lateral movement. The fact that this particular vulnerability works as is, without the need for user input, makes the exploitation just a piece of cake. And since ColdFusion is a rather popular app server solution, it is not hard to reach something important after compromising it, not to mention how easy it is to find a victim.

List of Affected ColdFusion Versions

Adobe ColdFusion Vulnerability Patches & Mitigation

Upon uncovering the vulnerabilities back in June 2023, Adobe released the updates^{1 2} which have these issues fixed. The company insisted on users to install these patches as soon as possible. And well, it cannot be a better moment to update than right now, after the official notification regarding the exploitation. Here is the list of ColdFusion versions that are no longer vulnerable to the said exploits:

At the same time, no workarounds or mitigations are available. This was expected though, as the nature of these vulnerabilities does not suppose the ability to fix it without the intrusion into the program code. In fact, there was over half a year of time to update, so applying any makeshift fixes now is irrational in any case.

Still, there is the ability to preventively protect the network from any kind of intrusion. By using Network Detection and Response (NDR) solutions, you make it much less likely that illicit traffic will reach your servers. By combining this with all-encompassing protective solutions, like Extended Detection and Response (XDR), you will receive a reliable shield against known threats, as well as ones that are only to be discovered.

The post Two Adobe ColdFusion Vulnerabilities Exploited in The Wild appeared first on Gridinsoft Blog.

ColdFusion Vulnerability Exploited to Infiltrate Federal Agency Servers

Recently, CISA has reported that Adobe’s ColdFusion – an application development tool, continues to pose a serious threat to organizations. Even though Adobe patched the CVE-2023-26360 vulnerability in March, CISA disclosed that two public-facing web servers at an undisclosed federal government agency were breached this summer.

The attackers exploited the CVE-2023-26360 vulnerability in the ColdFusion software, which enabled them to penetrate the systems. They deploy malware, including a remote access trojan (RAT), and access data through a web shell interface. The problem is that the affected servers ran outdated and vulnerable ColdFusion versions. Although Adobe released patches in March, only some users installed them. As a result, the lack of updates left an opening for intruders to gain initial access.

Fixed But Still Works

The CVE-2023-26360 flaw in ColdFusion allows arbitrary code execution without user action. Adobe released the patch that fixes the issue back in March 2023. However, as some users do not see the need to install this hotfix, threat actors have persistently exploited the vulnerability in unpatched systems. The flaw affects ColdFusion versions 2018 Update 15 and earlier, as well as 2021 Update five and earlier, including unsupported versions.

As for current incidents, they both occurred in June. In the first breach, hackers accessed the web server through a vulnerable IP address, exploiting the ColdFusion flaw. They attempted lateral movement, viewed information about user accounts, and executed reconnaissance. In addition, they dropped malicious artifacts, including a RAT that utilizes a JavaScript loader. Nevertheless, the attack was thwarted before successful data exfiltration.

In the second incident, the attackers checked the web server’s operating system and ColdFusion version, inserting malicious code to extract usernames, passwords, and data source URLs. Evidence suggests the activity amounted to network reconnaissance mapping rather than confirmed data theft. The malicious code hints at threat actors’ potential activities, leveraging the compromised credentials.

Nice try, but please try again later

According to experts, although the attackers managed to penetrate the target network, they could not do much damage. Actions encompassed reconnaissance, user account reviews, malware distribution, data exfiltration attempts, and code planting to extract credentials. Eight artifacts were left behind alongside a modified publicly available web shell for remote access.

While later quarantined, assets exposed included password information that could enable deeper network pivoting. However, no data thefts or system transitions were confirmed. It’s unclear whether one or multiple actors were responsible for the linked events. However, one thing is sure: despite vendors fixing vulnerabilities quickly, user’s negligence abuses malicious code without target interaction by even low-skilled actors.

Older Vulnerabilities Cause More and More Concerns

Aside from some extreme cases, software developers rarely ignore patching serious vulnerabilities. Large companies though are ones who definitely pay less attention than they should. And as we can see from this story, this is applicable even to government organizations. And this is what creates concerns.

As time goes on, hackers find more and more ways to exploit the same vulnerabilities. While some of them are getting patched by all parties or rendered ineffective, others remain actual and, what is worse, exploitable. After the initial discovery of a certain vulnerability, it is obvious to expect a boom in its exploitation. This comes especially true for programs that are generally used by large corporations – a category most of govt orgs fall into.

Leaving such vulnerabilities unpatched is effectively an invitation for a hacker to pay your network a visit. In a modern turbulent and uneven time, such decisions borderline recklessness, if not outright sabotage.

The post Federal Agency Hacked With ColdFusion Vulnerability appeared first on Gridinsoft Blog.

Citrix and Adobe Patch 0-day Vulnerabilities

Simultaneously, products of two companies were hit with critical vulnerabilities that allowed crooks the remote execution of malicious code. Citrix and Adobe are well known in the software market, so there’s no need to introduce them. The vulnerability in Citrix NetScaler has a CVSS of 9.8 out of 10, allowing for code execution without authentication. On July 18, Citrix said it had patched the vulnerabilities. However, attackers have likely had time to exploit them.

Adobe is doing a little worse in this regard. Adobe ColdFusion, a popular server-side scripting language, faces critical vulnerabilities. These vulnerabilities are noted as CVE-2023-38203 with a severity level of 9.8 out of 10 and CVE-2023-29298. This allows an unauthenticated attacker to execute arbitrary code on a vulnerable server. The company soon released a patch that was supposed to fix the vulnerabilities. However, the patch provided by Adobe for CVE-2023-29298 on July 11 is incomplete, which means that remedies against CVE-2023-29298 do not currently exist.

Moreover, experts discovered that the vulnerability that Adobe patched a few days earlier was actually CVE-2023-38203 and not CVE-2023-29300. The security company made a mistake by unintentionally releasing a critical zero-day vulnerability to users already dealing with the threat posed by the incomplete patch. Project Discovery quickly took down the disclosure post, and Adobe fixed the vulnerability two days later. By the way, the CVE-2023-29300 vulnerability also has a severity rating of 9.8.

Consequences

While estimating the potential damage from these vulnerabilities is impossible, it can be compared to the MOVEit and GoAnywhere vulnerabilities. The former resulted in 357 individual organizations being compromised, while the latter affected over 100 organizations. However, both organizations have since released patches. Meaning users can only hope the problem will be fixed soon.

How to protect against vulnerabilities?

Protecting against vulnerabilities involves adopting proactive cybersecurity measures and practices. Here are some steps you can take to enhance your security:

• Keep Software Updated. You should regularly update your operating system, applications, and antivirus software. Developers release updates to patch security vulnerabilities, so staying up-to-date is crucial.
• Use Strong Passwords. Strong passwords will help prevent compromise through brute force. In addition, consider using a password manager to store and manage your passwords securely.
• Enable Multi-Factor Authentication. Adding MFA (multi-factor authentication) provides an additional layer of security by requiring extra verification (like a code sent to your phone). It will be a different and insurmountable barrier to intruders.
• Use protection solutions. Powerful antivirus software is integral to complementing the above recommendations. In the event of an attempt to infect the system, it will neutralize the threat before it can cause harm.
• Keep Abreast of Security News. Finally, stay informed about the latest cybersecurity threats and best practices to adapt your defenses accordingly.

Although there is no such thing as 100% protection, implementing these measures can significantly reduce your risk and make it harder for attackers to exploit vulnerabilities.

The post Citrix and Adobe Vulnerabilities Under Active Exploitation appeared first on Gridinsoft Blog.

Let me remind you that earlier the developers have already warned that they will ask users to remove Adobe Flash from their machines by the end of the year.

In the latest update, the actual date of “death” of Flash is decided: January 12, 2021, after which any type of Flash content will not be launched inside the application.

The fact is that even if the user does not bother to uninstall Flash on his own, a few months ago the company added a kind of “time bomb” to the code, which will prevent the application from being used in the future.

It is also worth recalling that in October this year, Microsoft already released an update that removes Adobe Flash from all versions of Windows 10 and Windows Server, and also prevents it from being reinstalled on the device.

The “death” of Flash is expected to have minimal impact on the web ecosystem, as, according to a study by W3Techs, only 2.3% of sites still use Flash, which means that this figure has significantly decreased in recent years (for example, in 2011, the market share Flash was 28.5%).

Along with the release of the latest update, Adobe took the time to thank all Flash users and web developers who have been using it in their everyday lives and work for so many years:

Let me remind you that OS Windows 7 was also hard and reluctant to leave us: Microsoft released farewell updates for Windows 7 in january 2020, but My Digital Life forum community has found an illegal way to extend support for Windows 7.

The post Flash content will be blocked from January 12, 2021 appeared first on Gridinsoft Blog.

In July did not reach the record of June Tuesday only a little, when were fixed129 vulnerabilities.

The most serious vulnerability fixed this time is the CVE-2020-1350 problem, also known as SigRed, found as part of the Windows DNS Server. The vulnerability was discovered by Check Point specialists and scored 10 points out of 10 on the CVSSv3 vulnerability rating scale.

Other major issues this month included vulnerabilities that could allow remote code execution that were discovered as part of:

• RemoteFX vGPU component in the Microsoft Hyper-V hypervisor (CVE-2020-1041, CVE-2020-1040, CVE-2020-1032, CVE-2020-1036, CVE-2020-1042, CVE-2020-1043);
• Jet Database Engine, included in some Office applications (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407);
• Microsoft Word (CVE-2020-1446, CVE-2020-1447, CVE-2020-1448);
• Microsoft Excel (CVE-2020-1240);
• Microsoft Outlook (CVE-2020-1349);
• Microsoft Sharepoint (CVE-2020-1444);
• Windows LNK shortcut files (CVE-2020-1421);
• various Windows graphics components (CVE-2020-1435, CVE-2020-1408, CVE-2020-1412, CVE-2020-1409, CVE-2020-1436, CVE-2020-1355).

Adobe, in turn, has fixed more than a dozen vulnerabilities in products such as Creative Cloud, Media Encoder, Genuine Service, ColdFusion, and Download Manager.

So, in the Windows version of Download Manager, Adobe fixed a critical error that allowed the introduction of commands, which could lead to the execution of arbitrary code.

“In Media Encoder for Windows and macOS, were resolved two critical out-of-bounds writing issues that could also lead to arbitrary code execution, as well as an out-of-bounds reading error that entailed information disclosure”, – report Adobe experts.

A critical vulnerability has also been fixed in the desktop version of Creative Cloud. The problem is with symbolic links, which can allow an attacker to write arbitrary files to the target system. Three other vulnerabilities detected in the application are marked as important and allow increasing privileges in the system.

As part of the Genuine Service, have been fixed two bugs that allow privilege escalation, as well as in ColdFusion.

Recent patches include disclosure in NetWeaver (CVE-2020-6285) and several not-so-dangerous errors in Disclosure Management (CVE-2020-6267), Business Objects (CVE-2020-6281, CVE-2020-6276), NetWeaver AS JAVA (CVE-2020-6282) and Business Objects BI (CVE-2020-6278, CVE-2020-6222).

Also this month were released patches for the products of other vendors, including several updates from VMware, fixing about a hundred errors from Oracle (the highest CVSS score is 8.8 points for CVE-2016-1000031 vulnerability), and also updated Chrome, where One critical error and seven high-severity flaws were corrected.

The post On July “Patch Tuesday”, only Microsoft fixed 123 vulnerabilities appeared first on Gridinsoft Blog.