Horrible!
Adobe's download manager is complete shit. I hate it. Just give me the direct download to the file any day. I refuse to let the DM run whenever I get hit with it.
A researcher has unearthed a bug in software used to install Adobe's ubiquitous Reader and Flash applications that can be exploited to remotely install malicious files on end user PCs. The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer. …
Use FF to download the Flash control for IE, and IE to download the Flash plugin for firefox/safari/chrome. That will give you the two standalone executables:
http://get.adobe.com/flashplayer/otherversions/
For Reader, go to ftp://ftp.adobe.com and download the installer without all the Air crap.
But, Adobe went on record a few weeks ago saying they didn't ship software with any bugs.
What did they /think/ would happen if they made a claim like that? Remember MS launching Vista as their "Most secure OS yet"? IIRC, several major flaws were discovered and exploited about half a day after the first release candidate went out to the public.
If you want to live in ignorance, then feel free to not read the articles and just get your spoon-fed updates from Adobe as and when (and now cross your fingers that it *is* an update from Adobe that you get).
The fact is that this particular flaw is a problem in a piece of software that isn't even useful, it just adds a layer of complexity to what should be a straightforward download and now it adds a security hole to go with it.
Adobe could fix this with a quick re-write of their web page, probably in less than half a day, but I can almost guarantee that they will persist with the download manager.
"The attack combines a vulnerability on Adobe's website with a defect in the download manager. The result: he was able to install and execute his own instance of the Windows calculator on a Register test machine."
::shakes head:: I guess I'll be getting calls, but I don't work on Windows anymore.
"Aviv demonstrated the exploit on the condition further technical details be withheld."
Good plan. Gives Adobe a day or so cushion to fix it before the exploit is in the wild ...
"Adobe Download Manager would be as good a place as any to start."
ITYM "Adobe products would be as good a thing as any to avoid."
1. Don't do that. It gives the rest of is a bad name and it's fucking puerile. This sort of post gives certain intellectually challenged individuals an excuse to troll.
2. Firefox. It's got as many holes as any of the other browsers, and more of these are becoming apparent as it's popularity increases. Security through obscurity is no security at all.
Firefox does have exploits but it can be sandboxed and because its not deeply hooked into the OS there's little chance of getting round the sandbox. My copy only has access to a few folders, cannot install software or run external programs with enough file and|or system privileges to even work let alone do damage.
Remember: IE is evil because it deliberately pushes its bugs into the OS with high privileges, not because its buggy.
If it means he's safe for another 5 weeks while all the PC users are potentially screwed then doesn't that say something...?
I seem to remember the last "hack" against OSX from last year - wasn't it reliant on about 10 or 12 things that just could never happen in the wild...?
It doesn't matter if the Mac is "the Ford transit of computer security" - we all lock our vans up tightly behind firewalls, don't we!
Ensuring the largest number of hackers gain access to the largest number of machines in 1 package.
And someone pointed out in another El Reg comments section that they thought DM was a vuln that needed checking.
Looks like they were right.
Have the underlying mechanism of ActiveX been ported to *any* other platform?
Download manager completely failed to update Reader on at least 3 separate systems giving a completely unhelpful error non-message each time. After much searching, it appears to be due to some files in the Reader installation directory that were locked by Windows indexing service, but do you think Adobe would tell you that?
I've now disabled all Adobe update checks and manually update their bloatware by downloading the not very easy to find standalone installer.
If you want the standalone installers because you look after a number of machines (or simply want to avoid the download manager) it's very easy: just ignore the prompt to install the download manager, and click the "If your download didn't start automatically..." link. As a bonus, in the case of Reader, you get it without the AIR and Adobe.com crapware.
The second screenshot is easily enough to guess the issue, it whitelists *.adobe.com urls then he uses the open redirector on feed.adobe.com (the obvious nextPage one) to 302 to his site.
http://feeds.adobe.com/controller.cfm?hastHandler&action=click&postId=1&nextPage=http://theregister.co.uk
Still, as it prompts first and is only installed transiently by nature, I agree with adobe, this is not a big deal. After all, what's the difference between just visiting http://evil.com/malware.exe and being prompted and getting prompted by some crappy control?