Akamai Download Manager accepts malicious code
Akamai, the load-balancing service provider, says there is a vulnerable ActiveX control in its Download Manager that allows an attacker to take control of a Windows computer. A security advisory from the discoverer of the vulnerability gives more information about the cause. When an attacker's page is visited, parameter injection can be used to upload arbitary files to the visitor's computer and save them anywhere – in the Startup folder for example.
Users may inadvertently arrive at a crafted page by clicking a link in an E-mail or on a web site. While visiting a manipulated page, they can then inadvertently be passed on to a harmful site.
All versions of the Download Manager up to and including 22.214.171.124 are affected. The vulnerability is eliminated in version 126.96.36.199. Akamai says the ActiveX control can be updated on its update page.
- Akamai Technologies Security Advisory 2008-0001 (Download Manager), security advisory from Akamai
- Akamai Download Manager Remote Vul, security advisory from Frank Ruder