Wednesday, February 17, 2010

Disconcerting news about the Adobe Download Manager

I have been uninstalling this whenever I see it, so it's good to see that my suspicious nature has paid off.

Security Updates for Adobe Reader, Acrobat — Krebs on Security
Update, 4:06 p.m. ET: If you decide to do without Adobe Reader and uninstall it, you might want to nix the Adobe Download Manager as well. Researcher Aviv Raff points to some nifty work he’s done which shows that Adobe’s Download Manager — which ships with all new versions of Flash and Reader — can be forced to reinstall an application that’s been removed, such as Reader. According to Raff, a Web site could hijack the Adobe Download manager to download and install any of the following:
  • Adobe Flash 10
  • Adobe Reader 9.3
  • Adobe Reader 8.2
  • Adobe Air 1.5.3
  • ARH tool – allows silent installation of Adobe Air applications
  • Google Toolbar 6.3
  • McAfee Security Scan Plus
  • New York Times Reader (via Adobe Air)
  • Fanbase (via Adobe Air)
  • desktop shortcut
Raff writes: “So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.” Read more on his findings at this link here.
Note: According to Aviv Raff, Firefox users should disable or uninstall the Adobe Download Manager extension in addition to uninstalling the Adobe Download Manager program. Of course, if you're constitutionally paranoid like me ;-) you won't have either installed [grin].

No comments: