Feeds

Researcher spies new Adobe code execution bug

Download Manager + web flaw = threat

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

A researcher has unearthed a bug in software used to install Adobe's ubiquitous Reader and Flash applications that can be exploited to remotely install malicious files on end user PCs.

The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer. Researcher Aviv Raff has figured out how to exploit it to install any file he wishes simply by tricking a user into clicking on a link on the Adobe.com domain.

The attack combines a vulnerability on Adobe's website with a defect in the download manager. The result: he was able to install and execute his own instance of the Windows calculator on a Register test machine. Aviv demonstrated the exploit on the condition further technical details be withheld.

"Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue," Raff wrote here in disclosing the vulnerability. He was referring to unpublished comments an Adobe spokeswoman made to Zero Day blogger Ryan Naraine.

In part, the comments said the download manager "is designed to remove itself from the computer after use at the next restart," "can only be used to download the latest version of software hosted on Adobe.com," and "presents a very large user dialog box when downloading software."

But because the download manager remains on a machine until it is rebooted, attackers have ample opportunity to exploit the bug. Assuming the typical machine is restarted once every 24 to 72 hours, attacks have a reasonable chance of success as long as they are launched within the first one to three days of a recent update. (We're guessing a fair percentage of people would be unfazed by the dialog box).

And once that happens, attackers have the ability to remotely install malicious code on an untold millions of PCs, as the following screenshots suggest.

Screenshot of Adobe Download Manager
Screenshot of Windows caculator installed

In an email to El Reg in response to Raff's post, Adobe spokeswoman Wiebke Lips wrote: "Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager. We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible."

Updates will be posted on Adobe's PSIRT blog, she added.

As we suggested recently, the myriad bugs that over the past few years have routinely imperiled the entire internet have made Adobe the Toyota of the software industry. Company security personnel seem intent of correcting the problems, but the only way for that to happen is to launch a comprehensive initiative that makes a top-to-bottom review of the company's entire code base.

Adobe Download Manager would be as good a place as any to start. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.