Akamai Download Manager executes malicious code
Load-balancing and broadband specialist Akamai offers a Download Manager, using which files can be downloaded from the company's servers. Due to a security hole in both the ActiveX and Java versions, attackers can insert manipulated links into web sites, emails or Instant Messages that can also download malicious programs such as trojans and run them automatically.
Security services provider iDefense has detected two undocumented parameters in the software, which attackers can exploit to cause a file to be automatically downloaded and run. The download window is indeed displayed, says iDefense, but if the malware is small, as it normally is, the window disappears too quickly for the malicious download to be detected.
According to the security advisory, the
DownloadManagerV2.ocx ActiveX module with the ClassIDs
FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1 in version 18.104.22.168 is affected by the vulnerability. The
com.akamai.dm.ui.applet.DMApplet.class Java class in the
dlm-java-22.214.171.124.jar Java archive is also affected, but iDefense assumes that all versions before the current version 126.96.36.199 also contain the flaw.
Akamai has provided updated versions that are installed when the update site is visited. Users of Akamai download software should immediately either import the update or uninstall the Java downloader and set the kill bit for the ActiveX component. A Microsoft Knowledge Base article gives practical assistance here. But because of the very many security holes in ActiveX modules, users of Internet Explorer are best advised to totally disable ActiveX immediately.
- Akamai Download Manager Arbitrary Program Execution Vulnerability, security advisory by iDefense
- Update the downloader