Adobe Download Manager Vulnerable to Remote Code Execution Vulnerability
Article by George Norman
On 19 Feb 2010
Adobe, the California-based company that specializes in creating multimedia and creativity software products, announced it is aware its Adobe Download Manager software application is plagued by a vulnerability that, if successfully exploited by a person with malicious intent, could allow the attacker to perform remote code execution. Credit for discovering this vulnerability is given to security researcher Aviv Raff.

“We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible,” commented David Lenoe on behalf of the Adobe Product Security Incident Response Team (PSIRT).

Advertising

Aviv Raff says that he first uncovered a design flaw on Adobe’s website which “allows the abuse of the Adobe Download Manager to force the automatic installation of Adobe products, as well as other software products.” He also says that when he went to Adobe to warn them, the company did not admit this is a serious problem that could be exploited by people with malicious intent. Adobe downplayed the whole thing and argued the following points in its defense:
  • - Adobe Download Manager is removed from the user’s system when said user performs a restart.
  • - Only the latest software hosted on Adobe.com can be downloaded with Adobe Download Manager.
  • - When Abode Download Manager downloads something, the user is presented with a very big dialog box.

“I think they missed the whole point here. While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product, is still exposed to forced automatic installation until they restart their computer. This specific design flaw does indeed force installation of the latest version of Adobe products. But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day? This is not a far-fetched “what if.” An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product,” explained Aviv Raff.

Aviv Raff says he then uncovered a remote code execution flaw in Adobe Download Manager that could allow an attacker to force an automatic download and installation of any executable that attacker wants.



Tags: Adobe, Adobe Download Manager, Aviv Raff, Security, Remote code execution
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 31 May 2017
Having lots of devices connected to your network and the internet isn't a problem, as long as you keep the bad guys out of the picture. That’s crucial, because they'll exploit any vulnerability that they can find.
By George Norman on 17 Jul 2017
If you want top notch protection for your Windows computer, you can’t go wrong by getting something developed by the internationally renowned security company Kaspersky Lab. The problem is that…
By George Norman on 26 Jul 2017
Top-notch real-time protection against viruses doesn’t have to cost money, not if you go with the recently introduced Kaspersky Free antivirus solution. It may not come with a lot of bells and whistles, but it nicely covers all the basics and...
By George Norman on 31 Jul 2017
Are people taking better care of their passwords, or have their password habits changed for the worse? To get an answer to that question, data loss prevention software company Digital Guardian surveyed a thousand people about their password security habits and found that...
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Adobe Download Manager Vulnerable to Remote Code Execution Vulnerability
HTML Linking Code