Adobe Download Manager Vulnerable to Remote Code Execution Vulnerability
Adobe, the California-based company that specializes in creating multimedia and creativity software products, announced it is aware its Adobe Download Manager software application is plagued by a vulnerability that, if successfully exploited by a person with malicious intent, could allow the attacker to perform remote code execution. Credit for discovering this vulnerability is given to security researcher Aviv Raff.
“We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible,” commented David Lenoe on behalf of the Adobe Product Security Incident Response Team (PSIRT).
Aviv Raff says that he first uncovered a design flaw on Adobe’s website which “allows the abuse of the Adobe Download Manager to force the automatic installation of Adobe products, as well as other software products.” He also says that when he went to Adobe to warn them, the company did not admit this is a serious problem that could be exploited by people with malicious intent. Adobe downplayed the whole thing and argued the following points in its defense:
“I think they missed the whole point here. While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product, is still exposed to forced automatic installation until they restart their computer. This specific design flaw does indeed force installation of the latest version of Adobe products. But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day? This is not a far-fetched “what if.” An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product,” explained Aviv Raff.
Aviv Raff says he then uncovered a remote code execution flaw in Adobe Download Manager that could allow an attacker to force an automatic download and installation of any executable that attacker wants.
“We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible,” commented David Lenoe on behalf of the Adobe Product Security Incident Response Team (PSIRT).
Aviv Raff says that he first uncovered a design flaw on Adobe’s website which “allows the abuse of the Adobe Download Manager to force the automatic installation of Adobe products, as well as other software products.” He also says that when he went to Adobe to warn them, the company did not admit this is a serious problem that could be exploited by people with malicious intent. Adobe downplayed the whole thing and argued the following points in its defense:
- - Adobe Download Manager is removed from the user’s system when said user performs a restart.
- - Only the latest software hosted on Adobe.com can be downloaded with Adobe Download Manager.
- - When Abode Download Manager downloads something, the user is presented with a very big dialog box.
“I think they missed the whole point here. While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product, is still exposed to forced automatic installation until they restart their computer. This specific design flaw does indeed force installation of the latest version of Adobe products. But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day? This is not a far-fetched “what if.” An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product,” explained Aviv Raff.
Aviv Raff says he then uncovered a remote code execution flaw in Adobe Download Manager that could allow an attacker to force an automatic download and installation of any executable that attacker wants.
