14 DAY TRIAL // A serious vulnerability has been identified in the Adobe Download Manager application used to update Flash Player and Adobe Reader. Attackers can reportedly leverage the bug to forcefully install any executable file on computers with the vulnerable application installed.
According to Adobe, the purpose of its Download Manager (DLM) application is to ensure that updates are delivered successfully and securely to Flash Player and Reader users. "The Adobe DLM is signed by Adobe, uses SSL, MD5 checksum integrity verification, encryption and other methods to insure that the software you request is the software you receive from Adobe," the company states in a FAQ section on its website.
On Monday, a day before an out-of-bounds patch for Adobe Reader and Acrobat was pushed to users, reputed security expert Aviv Raff disclosed a security issue with Adobe DLM. According to the researcher, users with the program installed on their computer can be forced to install several Adobe products by simply visiting a page with specially crafted IFrames.
"So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability," Mr. Raff explained. This also applies to Adobe Flash, Adobe Air, the ARH tool, Google Toolbar, McAfee Security Scan Plus, New York Times Reader and Fanbase, all products that can be deployed via Adobe DLM.
In response, Adobe downplayed the security issue by listing some Adobe DLM particularities that don't touch on the real issue of zero-day threats, which are well too common with Adobe Flash Player and Reader. However, this problem was minor in comparison with the vulnerability Raff later discovered in the same application.
"I found yet another issue - a remote code execution flaw in the Adobe Download Manager. Basically, what I found is that an attacker can force an automatic download and installation of ANY executable he desires," the researcher noted. No technical details are disclosed for obvious security reasons, but Raff does stress that "Adobe’s claim in regards to Adobe Download Manager use of SSL in downloading the software is simply not true."
Meanwhile, the company's Product Security Incident Response Team (PSIRT) announced on its blog that "We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible."
