As reported yesterday by Infosecurity, Adobe's updates this week were hit by misrouting of Apple Mac users to Windows updates, and the ongoing availability of Adobe Reader 9.3.0, despite the software having two known security vulnerabilities.
Now it seems that the Adobe Download Manager itself is flawed, with a bug allegedly allowing hackers to remotely install malicious files on user's PCs.
The bug stems from the fact that the Download Manager is an ActiveX script that is widely used to install a variety of software and patches across the Adobe internet empire.
According to Israeli security researcher, Aviv Raff, who has identified many other software vulnerabilities, the flaw allows a third-party application to be called and installed on the remote machine, provided the user clicks on a link.
In a blog posting, Raff said: "We all have heard about the recent zero-day vulnerabilities in several widely deployed Adobe products."
"Adobe's response to some of them has been at times outrageous.... Recently, I found a design flaw on Adobe's website, which allows the abuse of the Adobe Download Manager to force the automatic installation of Adobe products, as well as other software products (e.g., Google Toolbar)", he said.
"Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue", he added.
According to Raff, when ZDNet Zero Day blogger Ryan Naraine reported Aviv's discovery to Adobe, the company sent this response:
A few important points:
The Adobe Download Manager is intended for one-time use. The Adobe Download Manager is designed to remove itself from the computer after use at the next restart. The user can also remove the Adobe Download Manager prior to this using Add/Remove Programs.
The Adobe Download Manager can only be used to download the latest version of software hosted on Adobe.com.
The Adobe Download Manager presents a very large user dialog box when downloading software.
Raff alleges that Adobe has missed the point: "This is not a far-fetched 'what if' – an attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product", he said.
"Until Adobe decides to fix this vulnerability, I'm going to withhold the technical details of how to exploit this vulnerability. But, I can say that Adobe's claim in regards to Adobe Download Manager use of SSL in downloading the software is simply not true", he added.
Comments
TamaraDigi1 says:
04 March 2010
In light of further Adobe security concerns, whereby many businesses and consumers are now questioning the real capabilities of their document creation software, I think it’s important that they're aware of how to protect their PDFs.
Here are some top tips on PDF security by Global Graphics (http://bit.ly/GlobalGraphicssecurity):
1. Keep your PDF software and virus software updated by visiting your providers' website
2. Don’t open PDFs from people you don’t know, no matter how tempting the title!
3. Keep an eye out for any PDF security advice coming out from the likes of SANS
4. Be wary of PDF software that has had security scares or is targeted by hackers. There are alternatives.
5. If you do use free PDF software from smaller providers, make sure you know they have strong support services
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.