"The advice given is to simply ignore the warnings"
Probably the same thing Adobe "developers" do when they compile something.
Adobe Creative Cloud Experience, a service installed via the Creative Cloud installer for Windows, includes a Node.js executable that can be abused to infect and compromise a victim's PC. Michael Taggart, a security researcher, recently demonstrated that the node.exe instance accompanying Adobe's service could be exploited by …
-> Security researchers commenting on Taggart's finding said they'd been under the impression the bundled Node runtime would only execute files signed by Adobe
What led them to be under this impression? Did they test it themselves, i.e. do some research? Or did they read it somewhere, AKA reader-repeaters?
I've already owned somebody's machine to the point where I can drop arbitrary files anywhere I want *and* run random programs. And a copy of node.exe is the problem????
If somebody has gotten that far into your machine, you are fully owned, period. It's not reasonable to expect an application to guard against that.
Even with a customized installer ala o365 the creative cloud is still cancer. If you remove the out of date node from this version, there is probably still 30 year old PDF code that for some reason still has local file access, loads internet resources at document load and runs unsigned scripts.
Keep in mind, this is still a company that can't be bothered to build a working uninstaller, automatically associates new users under a different account with the user account that installed the software, and tries to trick users into buying a copy of the software on their credit card when the are logged into CC with an account that has an enterprise license assigned.
So yeah, I don't lose much sleep over which bit of hot garbage that they point at, it's all a giant dumpster fire.