Adobe hit by major download security flaw

20 Feb 2010

Software giant Adobe – the maker of Flash and Reader software that this week celebrated the 20th anniversary of Photoshop – has been hit by a major security vulnerability that is misrouting Mac updates to Windows updates.

Hot on the heels of controversy over known vulnerabilities in Adobe Reader 9.3.0, according to reports the Adobe Download Manager is flawed with a bug that allegedly allows hackers to remotely install malicious files on user’s PCs.

It has been suggested that the Download Manager is an ActiveX script that is widely used to install a variety of software and patches across Adobe’s network.

An Israeli security researcher Aviv Raff has identified the flaw which allows a third party application to be installed on the remote machine if users click on a link.

In his blog Raff says that despite informing Adobe the company downplayed the risk.

“While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product (usually without the requirement to restart the computer after the update), is still exposed to forced automatic installation until they restart their computer.

“This specific design flaw does indeed force installation of the latest version of Adobe products. But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day?  

“An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product.”

A recent report from Scansafe found that based on more than a trillion web requests processed in 2009, the use of malicious PDF files exploiting flaws in Adobe Reader/Adobe Acrobat not only outpaced the use of Flash exploits, but also, grew to 80pc of all exploits the company encountered throughout the year.

“This is the kind of scenario that’s common when skilled, motivated attackers are going after select targets.

And yes, you do get a big dialog box when you are forced to download the software. Like this will really matter to the attacker, when all he wants is to get his malicious software on your machine,” Raff said.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com