Security problems in Adobe's Download Manager
Adobe developers are being kept busy by some newly discovered security problems. According to Israeli security specialist Aviv Raff, a vulnerability in Adobe's Download Manager (DLM) can be exploited by a crafted website to install arbitrary software on a Windows computer. This is supposed to only be possible for software signed by Adobe and which originates from an Adobe website, but, due to one or more bugs, it is apparently possible to install and run other applications. Raff reports that he was able to install and run his own version of the Windows calculator.
Raff is holding back on publishing details of the vulnerability until it has been fixed. Adobe has confirmed the existence of the problem and together with security specialists and the company behind Download Manager, is working on a solution. Exploiting the vulnerability is not trivial, as DLM is not usually permanently installed on a PC. It kicks in only when, for example, the Flash Player page is called as an ActiveX control. In Internet Explorer this, by default, triggers a dialogue box asking the user for confirmation. The control then remains active until the PC is restarted, after which it vanishes from the system. The situation is similar for the Firefox plug-in under Windows.
Whilst the DLM is active following either an installation or an upgrade to Flash Player, other Adobe applications can be installed on the system. DLM does tell users what it is downloading and installing, but, under Windows XP, does not ask the user's permission for the latter – a fact which heise Security has confirmed in its own tests. Under Windows 7 and Vista, the UAC steps in to require confirmation.
According to Raff, automation of the DLM carries within it the potential for misuse. As long as DLM is active, an attacker can divert a victim to the Adobe website for the purpose of installing the Adobe Reader plug-in. If the attacker has a zero day exploit for Adobe Reader, such as the recent vulnerability revealed in December, he would then be able to exploit the vulnerability in the Reader plug-in to gain control of a victim's PC. This would even make users who, for security reasons, have installed the Foxit Reader plug-in rather than Adobe Reader vulnerable to attacks.
- Security update released for Adobe Reader and Acrobat, a report from The H.
- Two critical holes closed in Adobe Reader and Acrobat, a report from The H.
- Adobe still distributing old vulnerable Reader, a report from The H.