Akamai Download Manager executes malicious code

Load-balancing and broadband specialist Akamai offers a Download Manager, using which files can be downloaded from the company's servers. Due to a security hole in both the ActiveX and Java versions, attackers can insert manipulated links into web sites, emails or Instant Messages that can also download malicious programs such as trojans and run them automatically.

Security services provider iDefense has detected two undocumented parameters in the software, which attackers can exploit to cause a file to be automatically downloaded and run. The download window is indeed displayed, says iDefense, but if the malware is small, as it normally is, the window disappears too quickly for the malicious download to be detected.

According to the security advisory, the DownloadManagerV2.ocx ActiveX module with the ClassIDs 2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B and FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1 in version 2.2.2.1 is affected by the vulnerability. The com.akamai.dm.ui.applet.DMApplet.class Java class in the dlm-java-2.2.2.0.jar Java archive is also affected, but iDefense assumes that all versions before the current version 2.2.3.5 also contain the flaw.

Akamai has provided updated versions that are installed when the update site is visited. Users of Akamai download software should immediately either import the update or uninstall the Java downloader and set the kill bit for the ActiveX component. A Microsoft Knowledge Base article gives practical assistance here. But because of the very many security holes in ActiveX modules, users of Internet Explorer are best advised to totally disable ActiveX immediately.

See also:

• Akamai Download Manager Arbitrary Program Execution Vulnerability, security advisory by iDefense
• Update the downloader

(mba)