Researcher Aviv Raff, who discovered an installation flaw in Adobe Download Manager last week, now says that he has detected a second flaw in the product.
"On the same day I published my last blog post, I found yet another issue — a remote code execution flaw in the Adobe Download Manager," he said. "Basically, what I found is that an attacker can force an automatic download and installation of ANY executable he desires. So, if you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack.
On Feburary 15, Raff stated on his blog that Adobe's Download Manager, which Adobe uses to download and install new versions of its products, can be forced by attackers to download a range of software products.
These include Adobe Flash 10, Adobe Reader, Adobe AIR, and AHR, a tool that can be used to silently install Adobe products. Other third-party software tools can also be installed by the Download Manager, including the Google Toolbar, the McAfee Security Scan Plus, and the New York Times Reader (installed on top of Adobe AIR).
Raff explained that this enables attackers to manipulate the software into installing versions of Adobe and other products with known compromises. Adobe recently reported critical security flaws in its Acrobat and Reader software, and another in its Flash Player.
"So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability," Raff said in his post, made a day before Adobe patched the Reader and Acrobat flaw last Tuesday. "The attacker can also exploit zero-day vulnerabilities in any of the other products mentioned above."
Responding to Raff's claims last week, Adobe argued that the Download Manager is only meant for one-time use, and is deleted from the user's machine after it is restarted. The company also pointed out that only the latest version of Adobe's software products can be downloaded by the tool, meaning that, for example, an older version of Flash Player with known vulnerabilities would not be installable using such a flaw.
"Most users who click on a 'forced download' link are presented with a yellow bar dialog asking to install the Adobe Download Manager," Adobe added. "The Adobe Download Manager will not download automatically."
Raff argued that Adobe had missed the point, adding that Adobe's increasing instances of zero-day flaws make it possible for attackers to exploit even the latest versions of Adobe software in many cases.
If his latest discovery of a remote code execution flaw is valid, then the aforementioned represent only part of the issue: a vulnerability allowing remote code execution would critically compromise a user's system directly from within Download Manager itself. Theoretically, malware could be installed before the user restarts their machine.
Adobe, which last September joined the SAFECode consortium, a group of companies dedicated to promoting secure software development, admitted to Infosecurity that the Adobe Download Manager had been developed by a third party company. It is now working directly with Raff, and with that third-party vendor, to examine the remote code vulnerability issue, a spokesperson said.
Adobe faces criticism from both sides: some, like Raff, are finding flaws in products designed to ease the patching process. Others, like one commenter on Raff's blog, criticize it for making the enterprise patching process too difficult.
"We're considering removing Adobe software from our systems, because it is so difficult to patch. For instance, each time there is a Flash update, I have to fill out a form on the Adobe website, 'apply' to "redistribute" flash on our intranet (because we use a software distribution system, and do not allow users to install or update their own software)," said one irate user. "Maybe we'd all be better off without Adobe software on our systems. Even when there are fixes, they make the fixes hard to get."
Adobe is currently beta testing a silent updater, that would patch software in the background without the user having to do anything. That tool, designed only for its Reader software, will go live for the general user base in April, assuming that the beta test goes according to plan. But with mounting security problems plaguing the company, many users may be left asking themselves whether silent updates are a good idea. After all, the lack of silent updates seems to be the company's main defense when discussing the Download Manager installation flaw.