Security vulnerability in Akamai Download Manager
Akamai, a provider of online load balancing and online content distribution services, has issued a security advisory identifying two security vulnerabilities in its Download Manager which allow an attacker to gain control of a Windows computer. The problem is caused by buffer overflows in the ActiveX version of the "Akamai Download Manager" (DownloadManagerV2.ocx) for Internet Explorer, which can be exploited to inject and execute malicious code. Victims merely need to visit a prepared web page.
Many users will have installed the flawed ActiveX control when, for instance, downloading Windows Vista Release Candidate 1 or Beta 2, which Microsoft at the time preferred to distribute in this way. There is a Java version of Download Manager for other browsers which does not contain the vulnerability.
According to Akamai, one of the bugs is in all versions prior to 220.127.116.11. The second bug is present in versions 18.104.22.168 and later only. Both bugs are fixed in version 22.214.171.124. According to Akamai, to install the new version, users simply need to visit the update page for the control. The new control is then offered for installation. To check whether this control is installed, take a look at C:\Windows\Downloaded Program Files\.
- Akamai Technologies Security Advisory 2007-0001, security advisory from Akamai
- Akamai Download Manager ActiveX Stack Buffer Overflow Vulnerability, security advisory from iDefense