Hole in Adobe's Download Manager enables virus infestation
Security vendor eEye has released a bug report regarding a hole in Adobe's Download Manager (AOM) through which specially prepared websites can infect visitors with viruses. AOM is intended to help with the download and installation of Adobe software and is used in the installation of the free Adobe Reader software. Only one AOM is included in the reader's small setup file, which downloads and installs the Reader's program files from the Adobe server.
The core of the problem is a buffer overflow in the Download Manager that is triggered during the reading in of manipulated AOM files and/or configuration files. Following installation, AOM files are automatically linked to the manager. According to the bug report, this means that when Internet Explorer is used to visit a website, no user interaction is required to automatically open any manipulated files (presuming the server sends a content type application/aom).
Versions 2.1.x and prior are affected. Version 2.2 for Windows and Mac, already released by Adobe, does not contain the bug. In cases where installation of the new version is not possible, eEye recommends uninstalling the Download Manager via Settings/Control Panel/Software or at least deleting the AOM link (Windows Explorer/Tools/Folder options/File types). There are currently no reports of published exploits or pages that exploit the hole.
- Update available for buffer overflow in Adobe Download Manager, bug advisory from Adobe
- Adobe Download Manager AOM Stack Buffer Overflow Vulnerability, bug advisory from eEye