Adobe Patches Critical Bug in Download Manager

Adobe released a security update yesterday for its Download Manager (DLM) application used to install Flash Player and Adobe Reader. The patch addresses a critical remote code execution vulnerability, which allowed a potential attacker to push any executable file to unsuspecting users.

The serious Adobe DLM flaw was publicly disclosed on February 18 by reputed security researcher Aviv Raff, after the company downplayed the importance of a different security issue with the application. The expert held back on any technical details in order to give Adobe time to come up with a fix.

The researcher limited himself at saying that "Adobe’s claim in regards to Adobe Download Manager use of SSL in downloading the software is simply not true." This was later confirmed by Brad Arkin, Adobe's director for product security & privacy, who wrote in a Twitter reply to Raff that "You were right about SSL. Thanks again for pointing that out. We updated the page to reflect that last week."

Fortunately, the window of exposure for this vulnerability is rather limited and no large-scale attacks exploiting it have been reported so far. This is partially because Adobe DLM is a temporary software delivery tool designed to remove itself at the first computer reboot after being used to install Adobe Reader or Flash Player.

Therefore, updating should be rather straightforward – just restart and the next time Adobe DLM is needed, a patched version will be deployed. However, in some environments, a reboot could be unpractical. In this case, the program can be uninstalled via "Add/Remove Programs" or manually by deleting the "C:\Program Files\NOS\" and removing the "getPlus(R) Helper" service.

Adobe's security advisory on this vulnerability reveals that the company knew about the problem even before Raff's disclosure. Apparently, the flaw was also reported to Adobe by Yorick Koster through iDefense's Vulnerability Contributor Program. "Partial disclosure wins again! Adobe already knew about the DLM vuln via iDefense, but fixed it only after my public disclosure," commented Aviv Raff.