WatchGuard Wire
Improve Your Security IQ
Adobe Download Manager vulnerability could affect any Adobe
software users
25 February 2010 -- A few days ago, Adobe released an update
to fix a severe vulnerability in their Download Manager. When you
download software like Adobe Reader or Flash Player from Adobe's
web site, it also installs an application called Download Manager,
which is intended to make the download process more efficient.
According to a security
advisory from Adobe, Download Manager suffers from a
critical code execution vulnerability. Adobe's bulletin does not
explain the vulnerability in any technical detail. However, one of the
original researchers who discovered the flaw, Aviv Raff, does in this blog
post. Raff plans to withhold some of the exploit details for now.
However, he says an attacker could exploit this flaw to download and
install any executable on your computer. I assume the attacker would
first have to entice a victim to click a malicious link, or to visit a
malicious web site, but neither Raff nor Adobe have confirmed how an
attacker actually exploits it.
Adobe says they have fixed this vulnerability in Download Manager
1.6.2.63. They claim that Download Manager is intended as a one-time
use application. After you get Download manager, and it helps you
download other Adobe software, it should also remove itself the next
time you restart your computer. If you've restarted your computer since
installing any Adobe apps, Download Manager should not be on your
system. Nonetheless, the Solution section of Adobe's
bulletin describes how you can check to see if Download Manager is
on your PC. If it is, you should remove it. Since you don't really need
Download Manager for anything other than installing new Adobe software,
you don't have to download the new version. Instead, the next time you
go to Adobe's site to get new software the latest version will
automatically install itself.
On the topic of Adobe
vulnerabilities; A few weeks ago Adobe released updates to
fix critical vulnerabilities in Reader,
Acrobat, and Flash
Player. If you haven't already downloaded and installed those
patches (Adobe's automatic update system may have already done it for
you), you should do so immediately. In my 2010 security
predictions, I warned that these kinds of 3rd party applications
would pose a big risk this year, so I recommend you stay on top of
their patches. -- Corey Nachreiner,
CISSP
Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.
|
